ASB DEC 2024 Security Patches integration

Integrating Google Android Security Bulletin Patches

Test done: STS r33 TCs Passed.

Tracked-On: OAM-127575
Signed-off-by: Alam, Sahibex <sahibex.alam@intel.com>

Author: AlamIntel

aosp_diff/preliminary/build/make/04_0004-Update-security_patch_level-string.patch

@@ -20,7 +20,7 @@ index 47bb92c142..2d0ac256a4 100644
      #  It must match one of the Android Security Patch Level strings of the Public Security Bulletins.
      #  If there is no $PLATFORM_SECURITY_PATCH set, keep it empty.
 -      PLATFORM_SECURITY_PATCH := 2022-02-05
-+      PLATFORM_SECURITY_PATCH := 2024-11-01
++      PLATFORM_SECURITY_PATCH := 2024-12-01
  endif
  .KATI_READONLY := PLATFORM_SECURITY_PATCH
 

aosp_diff/preliminary/external/skia/0002-RESTRICT-AUTOMERGE-Check-for-size-overflow-before-allocating-Sk.bulletin.patch

@@ -0,0 +1,38 @@
+From e4694498da59d8ec84eaa2c02f7a0252b9b95fb8 Mon Sep 17 00:00:00 2001
+From: Brian Osman <brianosman@google.com>
+Date: Thu, 29 Aug 2024 12:47:48 -0400
+Subject: [PATCH] RESTRICT AUTOMERGE: Check for size overflow before allocating
+ SkMask data
+
+Bug: 352631932
+Test: N/A -- not reproducible / speculative fix
+Reviewed-on: https://skia-review.googlesource.com/c/skia/+/894478
+Commit-Queue: Ben Wagner <bungeman@google.com>
+Reviewed-by: Ben Wagner <bungeman@google.com>
+Auto-Submit: Brian Osman <brianosman@google.com>
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1fa94ff39bee75fe3a4abf061c09b972e2ffd0fa)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cbf6a5953623cdb0ef200bcba00bc43986b16c91)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bb52abea2589a46c54822b85a309e4b3f1c83ffb)
+Merged-In: I74c081a7b849f13194ec7807b7a748d1919c1bb2
+Change-Id: I74c081a7b849f13194ec7807b7a748d1919c1bb2
+---
+ src/core/SkBlurMF.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/core/SkBlurMF.cpp b/src/core/SkBlurMF.cpp
+index 0b8486a587..6e951f7c82 100644
+--- a/src/core/SkBlurMF.cpp
++++ b/src/core/SkBlurMF.cpp
+@@ -175,6 +175,9 @@ static bool prepare_to_draw_into_mask(const SkRect& bounds, SkMask* mask) {
+     mask->fRowBytes = SkAlign4(mask->fBounds.width());
+     mask->fFormat = SkMask::kA8_Format;
+     const size_t size = mask->computeImageSize();
++    if (size == 0) {
++        return false;
++    }
+     mask->fImage = SkMask::AllocImage(size, SkMask::kZeroInit_Alloc);
+     if (nullptr == mask->fImage) {
+         return false;
+-- 
+2.46.1.824.gd892dcdcdd-goog
+

aosp_diff/preliminary/external/skia/0003-Prevent-overflow-when-growing-an-SkRegion-s-RunArray.bulletin.patch

@@ -0,0 +1,38 @@
+From 9e7ebd026b3ed8e676e168d9796b2e37e65f1db8 Mon Sep 17 00:00:00 2001
+From: Brian Osman <brianosman@google.com>
+Date: Thu, 29 Aug 2024 11:52:35 -0400
+Subject: [PATCH] Prevent overflow when growing an SkRegion's RunArray
+
+Bug: 350118416
+Test: N/A -- speculative issue without repro case
+Reviewed-on: https://skia-review.googlesource.com/c/skia/+/894836
+Reviewed-by: Robert Phillips <robertphillips@google.com>
+Commit-Queue: Brian Osman <brianosman@google.com>
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:85802e6d648a7831a26cc856fa5e33da94ed23f0)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c9d1a6c57468cc5e4ab66f7e17d065afd24dee8f)
+Merged-In: Iea27fe62ef97deb8a75e8dae276657d809223b57
+Change-Id: Iea27fe62ef97deb8a75e8dae276657d809223b57
+---
+ src/core/SkRegion.cpp | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/core/SkRegion.cpp b/src/core/SkRegion.cpp
+index 86c38bd5d9..b1ec9f4df8 100644
+--- a/src/core/SkRegion.cpp
++++ b/src/core/SkRegion.cpp
+@@ -52,8 +52,10 @@ public:
+     /** Resize the array to a size greater-than-or-equal-to count. */
+     void resizeToAtLeast(int count) {
+         if (count > fCount) {
+-            // leave at least 50% extra space for future growth.
+-            count += count >> 1;
++            // leave at least 50% extra space for future growth (unless adding would overflow)
++            SkSafeMath safe;
++            int newCount = safe.addInt(count, count >> 1);
++            count = safe ? newCount : SK_MaxS32;
+             fMalloc.realloc(count);
+             if (fPtr == fStack) {
+                 memcpy(fMalloc.get(), fStack, fCount * sizeof(SkRegionPriv::RunType));
+-- 
+2.46.1.824.gd892dcdcdd-goog
+

aosp_diff/preliminary/external/skia/0004-pdf-Bounds-check-in-skia_alloc_func.bulletin.patch

@@ -0,0 +1,51 @@
+From dab962c2e9788fe6515a637158fb562366c3b373 Mon Sep 17 00:00:00 2001
+From: Ben Wagner <bungeman@google.com>
+Date: Mon, 12 Aug 2024 15:00:08 -0400
+Subject: [PATCH] [pdf] Bounds check in skia_alloc_func
+
+The allocator callback for zlib needs to check that items * size will
+fit in size_t and return nullptr if not.
+
+Conflicts:
+- src/pdf/SkDeflate.cpp: just in header includes
+
+Bug: 349678452
+Reviewed-on: https://skia-review.googlesource.com/c/skia/+/888996
+Commit-Queue: Ben Wagner <bungeman@google.com>
+Reviewed-by: Brian Osman <brianosman@google.com>
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cc72c2e3d4502aee4d8bc558c2b2bf0dd117b609)
+Merged-In: Id1a30592d435bd0de4630e7047f26b0dc17654fc
+Change-Id: Id1a30592d435bd0de4630e7047f26b0dc17654fc
+---
+ src/pdf/SkDeflate.cpp | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/pdf/SkDeflate.cpp b/src/pdf/SkDeflate.cpp
+index a8bd667cc0..f243f94b40 100644
+--- a/src/pdf/SkDeflate.cpp
++++ b/src/pdf/SkDeflate.cpp
+@@ -9,6 +9,7 @@
+ 
+ #include "include/core/SkData.h"
+ #include "include/private/SkMalloc.h"
++#include "include/private/SkTFitsIn.h"
+ #include "include/private/SkTo.h"
+ #include "src/core/SkTraceEvent.h"
+ 
+@@ -21,6 +22,13 @@ namespace {
+ // Different zlib implementations use different T.
+ // We've seen size_t and unsigned.
+ template <typename T> void* skia_alloc_func(void*, T items, T size) {
++    if (!SkTFitsIn<size_t>(size)) {
++        return nullptr;
++    }
++    const size_t maxItems = SIZE_MAX / size;
++    if (maxItems < items) {
++        return nullptr;
++    }
+     return sk_calloc_throw(SkToSizeT(items) * SkToSizeT(size));
+ }
+ 
+-- 
+2.46.1.824.gd892dcdcdd-goog
+

aosp_diff/preliminary/frameworks/base/99_0293-Properly-handle-onNullBinding-in-appwidget-service-.bulletin.patch

@@ -0,0 +1,63 @@
+From 05f8bee9974ddd9765c3adb68331875283a8c84c Mon Sep 17 00:00:00 2001
+From: Pinyao Ting <pinyaoting@google.com>
+Date: Thu, 29 Aug 2024 17:01:55 +0000
+Subject: [PATCH] Properly handle onNullBinding() in appwidget service.
+
+Bug: 340239088
+Test: manually verified with the PoC app
+Flag: EXEMPT CVE
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:55fa3c2292f04e41a88ded9e319e9f747335bde9)
+Merged-In: I12fccb572e159a73785aa33a4f5204e094ccd1b7
+Change-Id: I12fccb572e159a73785aa33a4f5204e094ccd1b7
+---
+ core/java/android/widget/RemoteViewsAdapter.java       |  5 +++++
+ .../android/server/appwidget/AppWidgetServiceImpl.java | 10 ++++++++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/core/java/android/widget/RemoteViewsAdapter.java b/core/java/android/widget/RemoteViewsAdapter.java
+index 6b33428d7fe4..275c57e29f00 100644
+--- a/core/java/android/widget/RemoteViewsAdapter.java
++++ b/core/java/android/widget/RemoteViewsAdapter.java
+@@ -240,6 +240,11 @@ public class RemoteViewsAdapter extends BaseAdapter implements Handler.Callback
+             }
+         }
+ 
++        @Override
++        public void onNullBinding(ComponentName name) {
++            enqueueDeferredUnbindServiceMessage();
++        }
++
+         @Override
+         public void handleMessage(Message msg) {
+             RemoteViewsAdapter adapter = mAdapter.get();
+diff --git a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
+index f5063ac4a023..61a86560178a 100644
+--- a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
++++ b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
+@@ -1776,6 +1776,11 @@ class AppWidgetServiceImpl extends IAppWidgetService.Stub implements WidgetBacku
+                 mContext.unbindService(this);
+             }
+ 
++            @Override
++            public void onNullBinding(ComponentName name) {
++                mContext.unbindService(this);
++            }
++
+             @Override
+             public void onServiceDisconnected(ComponentName name) {
+                 // Do nothing
+@@ -1916,6 +1921,11 @@ class AppWidgetServiceImpl extends IAppWidgetService.Stub implements WidgetBacku
+                                 mContext.unbindService(this);
+                             }
+ 
++                            @Override
++                            public void onNullBinding(ComponentName name) {
++                                mContext.unbindService(this);
++                            }
++
+                             @Override
+                             public void onServiceDisconnected(android.content.ComponentName name) {
+                                 // Do nothing
+-- 
+2.46.1.824.gd892dcdcdd-goog
+

aosp_diff/preliminary/system/bt/59_0059-Fix-OOB-write-in-build_read_multi_rsp-of-gatt_sr-cc.bulletin.patch

@@ -0,0 +1,71 @@
+From 84a756e528cc130227cd4ece378fdc488eee2d34 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Mon, 8 Jul 2024 22:42:18 +0000
+Subject: [PATCH] Fix OOB write in build_read_multi_rsp of gatt_sr.cc
+
+build_read_multi_rsp is missing a bounds check, which can lead to an
+OOB write when the mtu parameter is set to zero.
+
+Add that bounds check.
+
+Bug: 323850943
+Test: atest GattSrTest
+Test: researcher POC
+Tag: #security
+Flag: EXEMPT trivial validity checks
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c177fdbd6189a114239e11e2713740b5a50624e1)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:54f370dbe213031d60d2c3ef24dff7a119274c96)
+Merged-In: Icc8209aec68873c9821a36c579cd5df05c6ec8b8
+Change-Id: Icc8209aec68873c9821a36c579cd5df05c6ec8b8
+---
+ stack/eatt/eatt.h     | 7 ++++++-
+ stack/gatt/gatt_sr.cc | 7 +++++++
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/stack/eatt/eatt.h b/stack/eatt/eatt.h
+index 0af2fe3de..31af5cb32 100644
+--- a/stack/eatt/eatt.h
++++ b/stack/eatt/eatt.h
+@@ -23,6 +23,7 @@
+ 
+ #define EATT_MIN_MTU_MPS (64)
+ #define EATT_DEFAULT_MTU (256)
++#define EATT_MAX_TX_MTU (1024)
+ 
+ namespace bluetooth {
+ namespace eatt {
+@@ -91,7 +92,11 @@ class EattChannel {
+     }
+     state_ = state;
+   }
+-  void EattChannelSetTxMTU(uint16_t tx_mtu) { this->tx_mtu_ = tx_mtu; }
++
++  void EattChannelSetTxMTU(uint16_t tx_mtu) {
++    this->tx_mtu_ = std::min<uint16_t>(tx_mtu, EATT_MAX_TX_MTU);
++    this->tx_mtu_ = std::max<uint16_t>(this->tx_mtu_, EATT_MIN_MTU_MPS);
++  }
+ };
+ 
+ /* Interface class */
+diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc
+index 266dc2895..5a3d4bf33 100644
+--- a/stack/gatt/gatt_sr.cc
++++ b/stack/gatt/gatt_sr.cc
+@@ -142,6 +142,13 @@ static void build_read_multi_rsp(tGATT_SR_CMD* p_cmd, uint16_t mtu) {
+   uint8_t* p;
+   bool is_overflow = false;
+ 
++  // We need at least one extra byte for the opcode
++  if (mtu == 0) {
++    LOG(ERROR) << "Invalid MTU";
++    p_cmd->status = GATT_ILLEGAL_PARAMETER;
++    return;
++  }
++
+   len = sizeof(BT_HDR) + L2CAP_MIN_OFFSET + mtu;
+   BT_HDR* p_buf = (BT_HDR*)osi_calloc(len);
+   p_buf->offset = L2CAP_MIN_OFFSET;
+-- 
+2.46.1.824.gd892dcdcdd-goog
+

aosp_diff/preliminary/system/bt/60_0060-Fix-GATT-Read-Multiple-Variable-Response-builder.bulletin.patch

@@ -0,0 +1,40 @@
+From 2063b807d3a4a54deebf214d7b78c1b4fe521322 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jakub=20Paw=C5=82owski?= <jpawlowski@google.com>
+Date: Thu, 1 Aug 2024 14:12:58 +0000
+Subject: [PATCH] Fix "GATT Read Multiple Variable Response" builder
+
+0 length value is perfectly fine, and should result in just length
+added into the packet.
+Currently, for 0 length value we just break out of loop, and don't add
+any value.
+This means, that if first characetristic in response had 0 length, we
+would return empty packet.
+
+Ignore-AOSP-First: security fix
+Test: mma -j32;
+Bug: 352696105
+Bug: 356886209
+Flag: exempt, obvious logic fix
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8bca10d5c1121dd8b9945d3777d69f0a0082a00d)
+Merged-In: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608
+Change-Id: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608
+---
+ stack/gatt/gatt_sr.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc
+index 5a3d4bf33..85b5c9ece 100644
+--- a/stack/gatt/gatt_sr.cc
++++ b/stack/gatt/gatt_sr.cc
+@@ -192,7 +192,7 @@ static void build_read_multi_rsp(tGATT_SR_CMD* p_cmd, uint16_t mtu) {
+ 
+       len = std::min((size_t) p_rsp->attr_value.len, mtu - total_len);
+ 
+-      if (len == 0) {
++      if (total_len == mtu && p_rsp->attr_value.len > 0) {
+         VLOG(1) << "Buffer space not enough for this data item, skipping";
+         break;
+       }
+-- 
+2.46.1.824.gd892dcdcdd-goog
+

aosp_diff/preliminary/system/bt/61_0061-Encrypt-LE-link-immediately-on-reconnection.bulletin.patch

@@ -0,0 +1,46 @@
+From 302c9a223134835b380333cfdb881960eb4652d3 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Wed, 4 Sep 2024 22:01:58 +0000
+Subject: [PATCH] Encrypt LE link immediately on reconnection
+
+LE link must be encrypted immediately on connection if device are
+already bonded.
+
+This is a backport of ag/29056565, but the code needs to go in a
+different location because that patch relies on recent feature work.
+
+Ignore-AOSP-First: security
+Test: mmm packages/modules/Bluetooth
+Bug: 288144143
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b580e572383f55a572163639864ee66671670325)
+Merged-In: Ibb6d651fe53835260ecc6d08215b2a3bd235bced
+Change-Id: Ibb6d651fe53835260ecc6d08215b2a3bd235bced
+---
+ stack/acl/btm_acl.cc | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/stack/acl/btm_acl.cc b/stack/acl/btm_acl.cc
+index 62a69870a..c74e68388 100644
+--- a/stack/acl/btm_acl.cc
++++ b/stack/acl/btm_acl.cc
+@@ -1102,6 +1102,17 @@ void StackAclBtmAcl::btm_establish_continue(tACL_CONN* p_acl) {
+                 PRIVATE_ADDRESS(p_acl->RemoteAddress()));
+     }
+     btm_set_link_policy(p_acl, btm_cb.acl_cb_.DefaultLinkPolicy());
++  } else if (p_acl->is_transport_ble()) {
++    tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(p_acl->remote_addr);
++
++    if (p_dev_rec == nullptr) {
++      LOG_WARN("No security record for %s",
++               PRIVATE_ADDRESS(p_acl->RemoteAddress()));
++    } else if (p_dev_rec->is_le_link_key_known()) {
++      btm_ble_set_encryption(
++          p_acl->remote_addr, BTM_BLE_SEC_ENCRYPT,
++          p_dev_rec->role_central ? HCI_ROLE_CENTRAL : HCI_ROLE_PERIPHERAL);
++    }
+   }
+   NotifyAclLinkUp(*p_acl);
+ }
+-- 
+2.46.1.824.gd892dcdcdd-goog
+