ASB JAN 2025 Security Patches integration

Integrating Google Android Security Bulletin Patches

Test done: STS r34 All TCs Passed except
2 TCs failed due to Kernel LTS Update requird,
Test: KernelLts Test#testRequiredKernelLts_ENFORCING
      KernelLts Test#testRequiredKernelLts_WARN
Update in upcoming ASB WIP.

Tracked-On: OAM-128659
Signed-off-by: AlamIntel <sahibex.alam@intel.com>

Author: AlamIntel

aosp_diff/preliminary/build/make/04_0004-Update-security_patch_level-string.patch

@@ -20,7 +20,7 @@ index 47bb92c142..2d0ac256a4 100644
      #  It must match one of the Android Security Patch Level strings of the Public Security Bulletins.
      #  If there is no $PLATFORM_SECURITY_PATCH set, keep it empty.
 -      PLATFORM_SECURITY_PATCH := 2022-02-05
-+      PLATFORM_SECURITY_PATCH := 2024-12-01
++      PLATFORM_SECURITY_PATCH := 2025-01-01
  endif
  .KATI_READONLY := PLATFORM_SECURITY_PATCH
 

aosp_diff/preliminary/external/giflib/0001-Fix-potential-overflow-when-calculating-ImageSize.bulletin.patch

@@ -0,0 +1,38 @@
+From bb55328d3074ae0bf3fec0d0dc1a125b6606d813 Mon Sep 17 00:00:00 2001
+From: Sadaf Ebrahimi <sadafebrahimi@google.com>
+Date: Tue, 17 Sep 2024 21:02:42 +0000
+Subject: [PATCH] Fix potential overflow when calculating ImageSize
+
+The modified if statement doesn't check the size of ImageDesc.Width and
+ImageDesc.Height. If ImageDesc.Width and ImageDesc.Height are larger
+than SIZE_MAX, then ImageSize overflows.
+
+Bug: 355461643
+Test: TreeHugger
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b379176c0987587a9186ac73b9b1fab2655657ae)
+Merged-In: Ieef04e789acf783eda2dff2cd9284ed204f1d117
+Change-Id: Ieef04e789acf783eda2dff2cd9284ed204f1d117
+---
+ dgif_lib.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/dgif_lib.c b/dgif_lib.c
+index 66a1d6a..7b43a6a 100644
+--- a/dgif_lib.c
++++ b/dgif_lib.c
+@@ -1099,8 +1099,10 @@ DGifSlurp(GifFileType *GifFile)
+ 
+               sp = &GifFile->SavedImages[GifFile->ImageCount - 1];
+               /* Allocate memory for the image */
+-              if (sp->ImageDesc.Width < 0 && sp->ImageDesc.Height < 0 &&
+-                      sp->ImageDesc.Width > (INT_MAX / sp->ImageDesc.Height)) {
++              if (sp->ImageDesc.Width <= 0 ||
++                      sp->ImageDesc.Height <= 0 ||
++                      sp->ImageDesc.Width >
++                          (INT_MAX / sp->ImageDesc.Height)) {
+                   return GIF_ERROR;
+               }
+               ImageSize = sp->ImageDesc.Width * sp->ImageDesc.Height;
+-- 
+2.46.1.824.gd892dcdcdd-goog
+

aosp_diff/preliminary/frameworks/base/99_0294-RingtoneManager-verify-default-ringtone-is-audio.bulletin.patch

@@ -0,0 +1,63 @@
+From a934acdf8b2293c8c043cbf194d005808d797e1d Mon Sep 17 00:00:00 2001
+From: Jean-Michel Trivi <jmtrivi@google.com>
+Date: Wed, 7 Dec 2022 04:36:46 +0000
+Subject: [PATCH] RingtoneManager: verify default ringtone is audio
+
+When a ringtone picker tries to set a ringtone through
+RingtoneManager.setActualDefaultRingtoneUri (also
+called by com.android.settings.DefaultRingtonePreference),
+verify the mimeType can be obtained (not found when caller
+doesn't have access to it) and it is an audio resource.
+
+Bug: 205837340
+Test: atest android.media.audio.cts.RingtoneManagerTest
+(cherry picked from commit 38618f9fb16d3b5617e2289354d47abe5af17dad)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a67982c990496d8efded6cc3a7471e30b66dce60)
+Merged-In: I3f2c487ded405c0c1a83ef0a2fe99cff7cc9328e
+Change-Id: I3f2c487ded405c0c1a83ef0a2fe99cff7cc9328e
+---
+ media/java/android/media/RingtoneManager.java | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/media/java/android/media/RingtoneManager.java b/media/java/android/media/RingtoneManager.java
+index 4ec79b7e085a..8aecf7f17026 100644
+--- a/media/java/android/media/RingtoneManager.java
++++ b/media/java/android/media/RingtoneManager.java
+@@ -802,10 +802,10 @@ public class RingtoneManager {
+ 
+         return ringtoneUri;
+     }
+-    
++
+     /**
+      * Sets the {@link Uri} of the default sound for a given sound type.
+-     * 
++     *
+      * @param context A context used for querying.
+      * @param type The type whose default sound should be set. One of
+      *            {@link #TYPE_RINGTONE}, {@link #TYPE_NOTIFICATION}, or
+@@ -826,6 +826,21 @@ public class RingtoneManager {
+         if(!isInternalRingtoneUri(ringtoneUri)) {
+             ringtoneUri = ContentProvider.maybeAddUserId(ringtoneUri, context.getUserId());
+         }
++
++        if (ringtoneUri != null) {
++            final String mimeType = resolver.getType(ringtoneUri);
++            if (mimeType == null) {
++                Log.e(TAG, "setActualDefaultRingtoneUri for URI:" + ringtoneUri
++                        + " ignored: failure to find mimeType (no access from this context?)");
++                return;
++            }
++            if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg"))) {
++                Log.e(TAG, "setActualDefaultRingtoneUri for URI:" + ringtoneUri
++                        + " ignored: associated mimeType:" + mimeType + " is not an audio type");
++                return;
++            }
++        }
++
+         Settings.System.putStringForUser(resolver, setting,
+                 ringtoneUri != null ? ringtoneUri.toString() : null, context.getUserId());
+ 
+-- 
+2.46.1.824.gd892dcdcdd-goog
+

aosp_diff/preliminary/frameworks/base/99_0295-SettingsProvider-verify-ringtone-URI-before-setting.bulletin.patch

@@ -0,0 +1,71 @@
+From 8253d2f95df2c337fee6ecc9bdd5df26db28a57f Mon Sep 17 00:00:00 2001
+From: Songchun Fan <schfan@google.com>
+Date: Mon, 14 Aug 2023 15:24:11 -0700
+Subject: [PATCH] [SettingsProvider] verify ringtone URI before setting
+
+Similar to ag/24422287, but the same URI verification should be done in
+SettingsProvider as well, which can be called by apps via
+Settings.System API or ContentProvider APIs without using
+RingtoneManager.
+
+BUG: 227201030
+Test: manual with a test app. Will add a CTS test.
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1b234678ec122994ccbfc52ac48aafdad7fdb1ed)
+Merged-In: Ic0ffa1db14b5660d02880b632a7f2ad9e6e5d84b
+Change-Id: Ic0ffa1db14b5660d02880b632a7f2ad9e6e5d84b
+---
+ .../providers/settings/SettingsProvider.java  | 31 +++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
+index 205944c9244c..a1d1f21fd3ec 100644
+--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
++++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
+@@ -1886,6 +1886,9 @@ public class SettingsProvider extends ContentProvider {
+             cacheName = Settings.System.ALARM_ALERT_CACHE;
+         }
+         if (cacheName != null) {
++            if (!isValidAudioUri(name, value)) {
++                return false;
++            }
+             final File cacheFile = new File(
+                     getRingtoneCacheDir(owningUserId), cacheName);
+             cacheFile.delete();
+@@ -1918,6 +1921,34 @@ public class SettingsProvider extends ContentProvider {
+         }
+     }
+ 
++    private boolean isValidAudioUri(String name, String uri) {
++        if (uri != null) {
++            Uri audioUri = Uri.parse(uri);
++            if (Settings.AUTHORITY.equals(
++                    ContentProvider.getAuthorityWithoutUserId(audioUri.getAuthority()))) {
++                // Don't accept setting the default uri to self-referential URIs like
++                // Settings.System.DEFAULT_RINGTONE_URI, which is an alias to the value of this
++                // setting.
++                return false;
++            }
++            final String mimeType = getContext().getContentResolver().getType(audioUri);
++            if (mimeType == null) {
++                Slog.e(LOG_TAG,
++                        "mutateSystemSetting for setting: " + name + " URI: " + audioUri
++                        + " ignored: failure to find mimeType (no access from this context?)");
++                return false;
++            }
++            if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg")
++                    || mimeType.equals("application/x-flac"))) {
++                Slog.e(LOG_TAG,
++                        "mutateSystemSetting for setting: " + name + " URI: " + audioUri
++                        + " ignored: associated mimeType: " + mimeType + " is not an audio type");
++                return false;
++            }
++        }
++        return true;
++    }
++
+     private boolean hasWriteSecureSettingsPermission() {
+         // Write secure settings is a more protected permission. If caller has it we are good.
+         return getContext().checkCallingOrSelfPermission(Manifest.permission.WRITE_SECURE_SETTINGS)
+-- 
+2.46.1.824.gd892dcdcdd-goog
+

aosp_diff/preliminary/frameworks/base/99_0296-RingtoneManager-allow-video-ringtone-URI.bulletin.patch

@@ -0,0 +1,79 @@
+From 470436ffd49178807af144602f286943f229ab17 Mon Sep 17 00:00:00 2001
+From: Jean-Michel Trivi <jmtrivi@google.com>
+Date: Mon, 24 Jun 2024 17:29:14 -0700
+Subject: [PATCH] RingtoneManager: allow video ringtone URI
+
+When checking the MIME type for the default ringtone, also
+allow it to refer to video content.
+
+Bug: 205837340
+Test: see POC + atest android.media.audio.cts.RingtoneManagerTest
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a8d2785d69314086dc3b5b2531386fefff079ce7)
+Merged-In: Iac9f27f14bae29e0fabc31e05da2357f6f4f16c7
+Change-Id: Iac9f27f14bae29e0fabc31e05da2357f6f4f16c7
+---
+ media/java/android/media/RingtoneManager.java         |  8 ++++++--
+ .../android/providers/settings/SettingsProvider.java  | 11 +++++++----
+ 2 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/media/java/android/media/RingtoneManager.java b/media/java/android/media/RingtoneManager.java
+index 8aecf7f17026..2dc6365c2e29 100644
+--- a/media/java/android/media/RingtoneManager.java
++++ b/media/java/android/media/RingtoneManager.java
+@@ -834,9 +834,13 @@ public class RingtoneManager {
+                         + " ignored: failure to find mimeType (no access from this context?)");
+                 return;
+             }
+-            if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg"))) {
++            if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg")
++                    || mimeType.equals("application/x-flac")
++                    // also check for video ringtones
++                    || mimeType.startsWith("video/") || mimeType.equals("application/mp4"))) {
+                 Log.e(TAG, "setActualDefaultRingtoneUri for URI:" + ringtoneUri
+-                        + " ignored: associated mimeType:" + mimeType + " is not an audio type");
++                        + " ignored: associated MIME type:" + mimeType
++                        + " is not a recognized audio or video type");
+                 return;
+             }
+         }
+diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
+index a1d1f21fd3ec..303e79662de3 100644
+--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
++++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java
+@@ -1886,7 +1886,7 @@ public class SettingsProvider extends ContentProvider {
+             cacheName = Settings.System.ALARM_ALERT_CACHE;
+         }
+         if (cacheName != null) {
+-            if (!isValidAudioUri(name, value)) {
++            if (!isValidMediaUri(name, value)) {
+                 return false;
+             }
+             final File cacheFile = new File(
+@@ -1921,7 +1921,7 @@ public class SettingsProvider extends ContentProvider {
+         }
+     }
+ 
+-    private boolean isValidAudioUri(String name, String uri) {
++    private boolean isValidMediaUri(String name, String uri) {
+         if (uri != null) {
+             Uri audioUri = Uri.parse(uri);
+             if (Settings.AUTHORITY.equals(
+@@ -1939,10 +1939,13 @@ public class SettingsProvider extends ContentProvider {
+                 return false;
+             }
+             if (!(mimeType.startsWith("audio/") || mimeType.equals("application/ogg")
+-                    || mimeType.equals("application/x-flac"))) {
++                    || mimeType.equals("application/x-flac")
++                    // also check for video ringtones
++                    || mimeType.startsWith("video/") || mimeType.equals("application/mp4"))) {
+                 Slog.e(LOG_TAG,
+                         "mutateSystemSetting for setting: " + name + " URI: " + audioUri
+-                        + " ignored: associated mimeType: " + mimeType + " is not an audio type");
++                        + " ignored: associated MIME type: " + mimeType
++                        + " is not a recognized audio or video type");
+                 return false;
+             }
+         }
+-- 
+2.46.1.824.gd892dcdcdd-goog
+

aosp_diff/preliminary/frameworks/base/99_0297-enforce-limits-for-VisualVoicemailSmsFilterSettings-properties.bulletin.patch

@@ -0,0 +1,84 @@
+From 50ed88a3af4455cc903ba2333e20294490d4f868 Mon Sep 17 00:00:00 2001
+From: Thomas Stuart <tjstuart@google.com>
+Date: Thu, 6 Jun 2024 22:36:40 +0000
+Subject: [PATCH] enforce limits for VisualVoicemailSmsFilterSettings
+ properties
+
+- clientPrefix is now limited to 256 characters
+- originatingNumbers is now limited to a list size of 100 and
+  each element is also limited to 256 characters
+
+Bug: 308932906
+Test: CTS
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:71ce82860ab6c072badd935d293fb4ca9d2bb260)
+Merged-In: Id4b4358b141bb211a7e340b979774850b4bd2403
+Change-Id: Id4b4358b141bb211a7e340b979774850b4bd2403
+---
+ .../VisualVoicemailSmsFilterSettings.java     | 27 +++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/telephony/java/android/telephony/VisualVoicemailSmsFilterSettings.java b/telephony/java/android/telephony/VisualVoicemailSmsFilterSettings.java
+index eadb726bf63b..2b515c9b5cd1 100644
+--- a/telephony/java/android/telephony/VisualVoicemailSmsFilterSettings.java
++++ b/telephony/java/android/telephony/VisualVoicemailSmsFilterSettings.java
+@@ -64,6 +64,14 @@ public final class VisualVoicemailSmsFilterSettings implements Parcelable {
+      * @hide
+      */
+     public static final int DEFAULT_DESTINATION_PORT = DESTINATION_PORT_ANY;
++    /**
++     * @hide
++     */
++    public static final int MAX_STRING_LENGTH = 256;
++    /**
++     * @hide
++     */
++    public static final int MAX_LIST_SIZE = 100;
+ 
+     /**
+      * Builder class for {@link VisualVoicemailSmsFilterSettings} objects.
+@@ -82,11 +90,16 @@ public final class VisualVoicemailSmsFilterSettings implements Parcelable {
+         /**
+          * Sets the client prefix for the visual voicemail SMS filter. The client prefix will appear
+          * at the start of a visual voicemail SMS message, followed by a colon(:).
++         * @throws IllegalArgumentException if the string length is greater than 256 characters
+          */
+         public Builder setClientPrefix(String clientPrefix) {
+             if (clientPrefix == null) {
+                 throw new IllegalArgumentException("Client prefix cannot be null");
+             }
++            if (clientPrefix.length() > MAX_STRING_LENGTH) {
++                throw new IllegalArgumentException("Client prefix cannot be greater than "
++                        + MAX_STRING_LENGTH + " characters");
++            }
+             mClientPrefix = clientPrefix;
+             return this;
+         }
+@@ -95,11 +108,25 @@ public final class VisualVoicemailSmsFilterSettings implements Parcelable {
+          * Sets the originating number allow list for the visual voicemail SMS filter. If the list
+          * is not null only the SMS messages from a number in the list can be considered as a visual
+          * voicemail SMS. Otherwise, messages from any address will be considered.
++         * @throws IllegalArgumentException if the size of the originatingNumbers list is greater
++         * than 100 elements
++         * @throws IllegalArgumentException if an element within the originatingNumbers list has
++         * a string length greater than 256
+          */
+         public Builder setOriginatingNumbers(List<String> originatingNumbers) {
+             if (originatingNumbers == null) {
+                 throw new IllegalArgumentException("Originating numbers cannot be null");
+             }
++            if (originatingNumbers.size() > MAX_LIST_SIZE) {
++                throw new IllegalArgumentException("The originatingNumbers list size cannot be"
++                        + " greater than " + MAX_STRING_LENGTH + " elements");
++            }
++            for (String num : originatingNumbers) {
++                if (num != null && num.length() > MAX_STRING_LENGTH) {
++                    throw new IllegalArgumentException("Numbers within the originatingNumbers list"
++                            + " cannot be greater than" + MAX_STRING_LENGTH + " characters");
++                }
++            }
+             mOriginatingNumbers = originatingNumbers;
+             return this;
+         }
+-- 
+2.46.1.824.gd892dcdcdd-goog
+