ASB JUN 2025 Security Patches integration

Integrating_ Google Android Security Bulletin Patches.

Test done: STS r39 TCs Passed

Tracked-On: OAM-132951
Signed-off-by: Alam, SahibeX <sahibex.alam@intel.com>

Author: AlamIntel

aosp_diff/preliminary/art/0008-Ensure-the-dex-use-database-cannot-grow-unboundedly.patch

@@ -0,0 +1,74 @@
+From 5f480e67a165223165eb45cb4893902d4d2fcdf1 Mon Sep 17 00:00:00 2001
+From: Jiakai Zhang <jiakaiz@google.com>
+Date: Tue, 25 Mar 2025 08:33:34 -0700
+Subject: [PATCH] Fix SELinux denial on GMS Core's symlinks to secondary dex
+ files.
+
+Bug: 401662336
+Bug: 391895923
+Test: Presubmit
+Flag: EXEMPT bugfix
+(cherry picked from commit abeeacd902042cb2e4941ad66608f8bc526613d4)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5dabc78c06b506e6b247d557157f4ab05147082b)
+Merged-In: Iaa9a716cfe262897e313b994db92855721e1dfcc
+Change-Id: Iaa9a716cfe262897e313b994db92855721e1dfcc
+---
+ .../com/android/server/art/DexUseManagerLocal.java  | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/libartservice/service/java/com/android/server/art/DexUseManagerLocal.java b/libartservice/service/java/com/android/server/art/DexUseManagerLocal.java
+index c154cd0402..b7b42caeed 100644
+--- a/libartservice/service/java/com/android/server/art/DexUseManagerLocal.java
++++ b/libartservice/service/java/com/android/server/art/DexUseManagerLocal.java
+@@ -67,6 +67,7 @@ import java.io.OutputStream;
+ import java.lang.annotation.Retention;
+ import java.lang.annotation.RetentionPolicy;
+ import java.nio.file.Files;
++import java.nio.file.LinkOption;
+ import java.nio.file.StandardCopyOption;
+ import java.util.ArrayList;
+ import java.util.Collections;
+@@ -116,10 +117,8 @@ public class DexUseManagerLocal {
+     // Impose a limit on the input accepted by notifyDexContainersLoaded per owning package.
+     /** @hide */
+     @VisibleForTesting public static final int MAX_PATH_LENGTH = 4096;
+-
+     /** @hide */
+     @VisibleForTesting public static final int MAX_CLASS_LOADER_CONTEXT_LENGTH = 10000;
+-
+     /** @hide */
+     private static final int MAX_SECONDARY_DEX_FILES_PER_OWNER = 500;
+ 
+@@ -669,14 +668,18 @@ public class DexUseManagerLocal {
+             @NonNull String classLoaderContext, @NonNull String abiName, long lastUsedAtMs) {
+         DexLoader loader = DexLoader.create(loadingPackageName, isolatedProcess);
+         // This is to avoid a loading package from using up the SecondaryDexUse entries for another
+-        // package (up to the MAX_SECONDARY_DEX_FILES_PER_OWNER limit). We don't care about the
+-        // loading package messing up its own SecondaryDexUse entries.
++        // package (up to the MAX_SECONDARY_DEX_FILES_PER_OWNER limit).
+         // Note that we are using system_server's permission to check the existence. This is fine
+         // with the assumption that the file must be world readable to be used by other apps.
+         // We could use artd's permission to check the existence, and then there wouldn't be any
+         // permission issue, but that requires bringing up the artd service, which may be too
+         // expensive.
+         // TODO(jiakaiz): Check if the assumption is true.
++        // This doesn't apply to secondary dex files that aren't used by other apps, but we
++        // don't care about the loading package messing up its own SecondaryDexUse
++        // entries.
++        // Also note that the check doesn't follow symlinks because GMSCore creates symlinks to
++        // its secondary dex files, while system_server doesn't have the permission to follow them.
+         if (isLoaderOtherApp(loader, owningPackageName) && !mInjector.pathExists(dexPath)) {
+             AsLog.w("Not recording non-existent secondary dex file '" + dexPath + "'");
+             return;
+@@ -1400,7 +1403,7 @@ public class DexUseManagerLocal {
+         }
+ 
+         public boolean pathExists(String path) {
+-            return new File(path).exists();
++            return Files.exists(Paths.get(path), LinkOption.NOFOLLOW_LINKS);
+         }
+ 
+         @NonNull
+-- 
+2.34.1
+

aosp_diff/preliminary/art/0009-Fix-SELinux-denial-on-GMS-Core-s-symlinks-to-seconda.patch

@@ -0,0 +1,133 @@
+From 9bc398ef01ce6b12b076d32cce37786ca37c1b3a Mon Sep 17 00:00:00 2001
+From: Jiakai Zhang <jiakaiz@google.com>
+Date: Tue, 25 Mar 2025 08:38:55 -0700
+Subject: [PATCH] Omit file existence check on notifyDexContainersLoaded.
+
+This is due to sepolicy restrictions on some platforms.
+
+Bug: 401662336
+Bug: 391895923
+Test: atest ArtServiceTests
+Test: app-debug.apk in b/391895923#comment3
+Flag: EXEMPT bugfix
+(cherry picked from commit d62d66437f3b322f202c314672fbaf810fde7142)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:39334253c58dedcd928ef5431ad3618b11b02edc)
+Merged-In: Ib6d878a678ddafd02fb48d92ddfbabdfd6f4f14e
+Change-Id: Ib6d878a678ddafd02fb48d92ddfbabdfd6f4f14e
+---
+ .../server/art/DexUseManagerLocal.java        | 22 -------------
+ .../android/server/art/DexUseManagerTest.java | 33 +------------------
+ 2 files changed, 1 insertion(+), 54 deletions(-)
+
+diff --git a/libartservice/service/java/com/android/server/art/DexUseManagerLocal.java b/libartservice/service/java/com/android/server/art/DexUseManagerLocal.java
+index b7b42caeed..1bdf31e80a 100644
+--- a/libartservice/service/java/com/android/server/art/DexUseManagerLocal.java
++++ b/libartservice/service/java/com/android/server/art/DexUseManagerLocal.java
+@@ -67,7 +67,6 @@ import java.io.OutputStream;
+ import java.lang.annotation.Retention;
+ import java.lang.annotation.RetentionPolicy;
+ import java.nio.file.Files;
+-import java.nio.file.LinkOption;
+ import java.nio.file.StandardCopyOption;
+ import java.util.ArrayList;
+ import java.util.Collections;
+@@ -667,23 +666,6 @@ public class DexUseManagerLocal {
+             @NonNull String loadingPackageName, boolean isolatedProcess,
+             @NonNull String classLoaderContext, @NonNull String abiName, long lastUsedAtMs) {
+         DexLoader loader = DexLoader.create(loadingPackageName, isolatedProcess);
+-        // This is to avoid a loading package from using up the SecondaryDexUse entries for another
+-        // package (up to the MAX_SECONDARY_DEX_FILES_PER_OWNER limit).
+-        // Note that we are using system_server's permission to check the existence. This is fine
+-        // with the assumption that the file must be world readable to be used by other apps.
+-        // We could use artd's permission to check the existence, and then there wouldn't be any
+-        // permission issue, but that requires bringing up the artd service, which may be too
+-        // expensive.
+-        // TODO(jiakaiz): Check if the assumption is true.
+-        // This doesn't apply to secondary dex files that aren't used by other apps, but we
+-        // don't care about the loading package messing up its own SecondaryDexUse
+-        // entries.
+-        // Also note that the check doesn't follow symlinks because GMSCore creates symlinks to
+-        // its secondary dex files, while system_server doesn't have the permission to follow them.
+-        if (isLoaderOtherApp(loader, owningPackageName) && !mInjector.pathExists(dexPath)) {
+-            AsLog.w("Not recording non-existent secondary dex file '" + dexPath + "'");
+-            return;
+-        }
+         synchronized (mLock) {
+             PackageDexUse packageDexUse = mDexUse.mPackageDexUseByOwningPackageName.computeIfAbsent(
+                     owningPackageName, k -> new PackageDexUse());
+@@ -1402,10 +1384,6 @@ public class DexUseManagerLocal {
+             return System.currentTimeMillis();
+         }
+ 
+-        public boolean pathExists(String path) {
+-            return Files.exists(Paths.get(path), LinkOption.NOFOLLOW_LINKS);
+-        }
+-
+         @NonNull
+         public String getFilename() {
+             return FILENAME;
+diff --git a/libartservice/service/javatests/com/android/server/art/DexUseManagerTest.java b/libartservice/service/javatests/com/android/server/art/DexUseManagerTest.java
+index ed4041bdf6..aeddc8b8f7 100644
+--- a/libartservice/service/javatests/com/android/server/art/DexUseManagerTest.java
++++ b/libartservice/service/javatests/com/android/server/art/DexUseManagerTest.java
+@@ -180,7 +180,6 @@ public class DexUseManagerTest {
+ 
+         lenient().when(mInjector.getArtd()).thenReturn(mArtd);
+         lenient().when(mInjector.getCurrentTimeMillis()).thenReturn(0l);
+-        lenient().when(mInjector.pathExists(any())).thenReturn(true);
+         lenient().when(mInjector.getFilename()).thenReturn(mTempFile.getPath());
+         lenient()
+                 .when(mInjector.createScheduledExecutor())
+@@ -909,12 +908,11 @@ public class DexUseManagerTest {
+     }
+ 
+     @Test
+-    public void testExistingExternalSecondaryDexPath() throws Exception {
++    public void testSecondaryDexPath() throws Exception {
+         mMockClock.advanceTime(DexUseManagerLocal.INTERVAL_MS); // Save.
+         long oldFileSize = mTempFile.length();
+ 
+         String existingDexPath = mCeDir + "/foo.apk";
+-        when(mInjector.pathExists(existingDexPath)).thenReturn(true);
+         mDexUseManager.notifyDexContainersLoaded(
+                 mSnapshot, LOADING_PKG_NAME, Map.of(existingDexPath, "PCL[]"));
+ 
+@@ -922,35 +920,6 @@ public class DexUseManagerTest {
+         assertThat(mTempFile.length()).isGreaterThan(oldFileSize);
+     }
+ 
+-    @Test
+-    public void testNonexistingExternalSecondaryDexPath() throws Exception {
+-        mMockClock.advanceTime(DexUseManagerLocal.INTERVAL_MS); // Save.
+-        long oldFileSize = mTempFile.length();
+-
+-        String nonexistingDexPath = mCeDir + "/foo.apk";
+-        when(mInjector.pathExists(nonexistingDexPath)).thenReturn(false);
+-        mDexUseManager.notifyDexContainersLoaded(
+-                mSnapshot, LOADING_PKG_NAME, Map.of(nonexistingDexPath, "PCL[]"));
+-
+-        mMockClock.advanceTime(DexUseManagerLocal.INTERVAL_MS); // Save.
+-        assertThat(mTempFile.length()).isEqualTo(oldFileSize);
+-    }
+-
+-    @Test
+-    public void testInternalSecondaryDexPath() throws Exception {
+-        mMockClock.advanceTime(DexUseManagerLocal.INTERVAL_MS); // Save.
+-        long oldFileSize = mTempFile.length();
+-
+-        String nonexistingDexPath = mCeDir + "/foo.apk";
+-        lenient().when(mInjector.pathExists(nonexistingDexPath)).thenReturn(false);
+-        mDexUseManager.notifyDexContainersLoaded(
+-                mSnapshot, OWNING_PKG_NAME, Map.of(nonexistingDexPath, "PCL[]"));
+-        verify(mArtd, never()).getDexFileVisibility(nonexistingDexPath);
+-
+-        mMockClock.advanceTime(DexUseManagerLocal.INTERVAL_MS); // Save.
+-        assertThat(mTempFile.length()).isGreaterThan(oldFileSize);
+-    }
+-
+     @Test
+     public void testLimitSecondaryDexFiles() throws Exception {
+         for (int n = 0; n < MAX_SECONDARY_DEX_FILES_PER_OWNER_FOR_TESTING - 1; ++n) {
+-- 
+2.34.1
+

aosp_diff/preliminary/art/0010-Omit-file-existence-check-on-notifyDexContainersLoad.patch

@@ -20,7 +20,7 @@ index 4075b588..985e7b01 100644
  name: "RELEASE_PLATFORM_SECURITY_PATCH"
  value: {
 -  string_value: "2025-03-05"
-+  string_value: "2025-05-01"
++  string_value: "2025-06-01"
  }
 -- 
 2.34.1

aosp_diff/preliminary/build/release/0001-Update-RELEASE_PLATFORM_SECURITY_PATCH-string.patch

@@ -0,0 +1,138 @@
+From a5c1d4f8d6d59ec0960b2c13b76431bbbbc61b26 Mon Sep 17 00:00:00 2001
+From: Lajos Molnar <lajos@google.com>
+Date: Wed, 26 Feb 2025 18:16:50 -0800
+Subject: [PATCH] mediandk: clean up AMediaCodec_getInput/OutputBuffer
+ semantics
+
+AMediaCodec_getInputBuffer erroneously considered the
+offset, which could result in a smaller input buffer being
+returned and client confusion. In practice, input
+buffer offset is rarely used.
+
+Similarly, the buffer size returned from
+AMediaCodec_getOutputBuffer included padding after the
+output buffer leading to potential confusion.
+Now the size returned from both AMediaCodec_getOutputBuffer
+and AMediaCodec_dequeueOutputBuffer is correct.
+
+Also removed mentions of non-existing NDK methods
+AMediaCodec_getOutputBuffers and AMediaCodec_getInputBuffers.
+
+Bug: 301470262
+Flag: EXEMPT bugfix
+(cherry picked from commit d69fe7b73a0ed14c2b5bc237f1a42314140c9458)
+Merged-in: I6bbd9b85023aef56a608362afde0662d3df7284a
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:20cca3672f4fbcef3e8dd0cc1a46f585a576ab3c)
+Merged-In: I6bbd9b85023aef56a608362afde0662d3df7284a
+Change-Id: I6bbd9b85023aef56a608362afde0662d3df7284a
+---
+ media/ndk/NdkMediaCodec.cpp             | 21 ++++++++++++++++-----
+ media/ndk/include/media/NdkMediaCodec.h | 15 +++++++++++++--
+ 2 files changed, 29 insertions(+), 7 deletions(-)
+
+diff --git a/media/ndk/NdkMediaCodec.cpp b/media/ndk/NdkMediaCodec.cpp
+index b230df5179..240848096a 100644
+--- a/media/ndk/NdkMediaCodec.cpp
++++ b/media/ndk/NdkMediaCodec.cpp
+@@ -672,7 +672,13 @@ uint8_t* AMediaCodec_getInputBuffer(AMediaCodec *mData, size_t idx, size_t *out_
+         if (out_size != NULL) {
+             *out_size = abuf->capacity();
+         }
+-        return abuf->data();
++
++        // When an input buffer is provided to the application, it is essentially
++        // empty. Ignore its offset as we will set it upon queueInputBuffer.
++        // This actually works as expected as we do not provide visibility of
++        // a potential internal offset to the client, so it is equivalent to
++        // setting the offset to 0 prior to returning the buffer to the client.
++        return abuf->base();
+     }
+ 
+     android::Vector<android::sp<android::MediaCodecBuffer> > abufs;
+@@ -689,7 +695,7 @@ uint8_t* AMediaCodec_getInputBuffer(AMediaCodec *mData, size_t idx, size_t *out_
+         if (out_size != NULL) {
+             *out_size = abufs[idx]->capacity();
+         }
+-        return abufs[idx]->data();
++        return abufs[idx]->base();
+     }
+     ALOGE("couldn't get input buffers");
+     return NULL;
+@@ -704,8 +710,12 @@ uint8_t* AMediaCodec_getOutputBuffer(AMediaCodec *mData, size_t idx, size_t *out
+             return NULL;
+         }
+ 
++        // Note that we do not provide visibility of the internal offset to the
++        // client, but it also does not make sense to provide visibility of the
++        // buffer capacity vs the actual size.
++
+         if (out_size != NULL) {
+-            *out_size = abuf->capacity();
++            *out_size = abuf->size();
+         }
+         return abuf->data();
+     }
+@@ -718,7 +728,7 @@ uint8_t* AMediaCodec_getOutputBuffer(AMediaCodec *mData, size_t idx, size_t *out
+             return NULL;
+         }
+         if (out_size != NULL) {
+-            *out_size = abufs[idx]->capacity();
++            *out_size = abufs[idx]->size();
+         }
+         return abufs[idx]->data();
+     }
+@@ -748,7 +758,8 @@ ssize_t AMediaCodec_dequeueOutputBuffer(AMediaCodec *mData,
+     requestActivityNotification(mData);
+     switch (ret) {
+         case OK:
+-            info->offset = offset;
++            // the output buffer address is already offset in AMediaCodec_getOutputBuffer()
++            info->offset = 0;
+             info->size = size;
+             info->flags = flags;
+             info->presentationTimeUs = presentationTimeUs;
+diff --git a/media/ndk/include/media/NdkMediaCodec.h b/media/ndk/include/media/NdkMediaCodec.h
+index 598beb709d..223d2f890b 100644
+--- a/media/ndk/include/media/NdkMediaCodec.h
++++ b/media/ndk/include/media/NdkMediaCodec.h
+@@ -251,6 +251,11 @@ uint8_t* AMediaCodec_getInputBuffer(AMediaCodec*, size_t idx, size_t *out_size)
+  * dequeueOutputBuffer, and not yet queued.
+  *
+  * Available since API level 21.
++ * <p>
++ * At or before API level 35, the out_size returned was invalid, and instead the
++ * size returned in the AMediaCodecBufferInfo struct from
++ * AMediaCodec_dequeueOutputBuffer() should be used. After API
++ * level 35, this API returns the correct output buffer size as well.
+  */
+ uint8_t* AMediaCodec_getOutputBuffer(AMediaCodec*, size_t idx, size_t *out_size) __INTRODUCED_IN(21);
+ 
+@@ -309,9 +314,16 @@ media_status_t AMediaCodec_queueSecureInputBuffer(AMediaCodec*, size_t idx,
+ #undef _off_t_compat
+ 
+ /**
+- * Get the index of the next available buffer of processed data.
++ * Get the index of the next available buffer of processed data along with the
++ * metadata associated with it.
+  *
+  * Available since API level 21.
++ * <p>
++ * At or before API level 35, the offset in the AMediaCodecBufferInfo struct
++ * was invalid and should be ignored; however, at the same time
++ * the buffer size could only be obtained from this struct. After API
++ * level 35, the offset returned in the struct is always set to 0, and the
++ * buffer size can also be obtained from the AMediaCodec_getOutputBuffer() call.
+  */
+ ssize_t AMediaCodec_dequeueOutputBuffer(AMediaCodec*, AMediaCodecBufferInfo *info,
+         int64_t timeoutUs) __INTRODUCED_IN(21);
+@@ -468,7 +480,6 @@ void AMediaCodec_releaseName(AMediaCodec*, char* name) __INTRODUCED_IN(28);
+ /**
+  * Set an asynchronous callback for actionable AMediaCodec events.
+  * When asynchronous callback is enabled, it is an error for the client to call
+- * AMediaCodec_getInputBuffers(), AMediaCodec_getOutputBuffers(),
+  * AMediaCodec_dequeueInputBuffer() or AMediaCodec_dequeueOutputBuffer().
+  *
+  * AMediaCodec_flush() behaves differently in asynchronous mode.
+-- 
+2.49.0.1077.gc0e912fd4c-goog
+