ASB-NOV 2024 Security Patches integration

Integrating Google Android Security Bulletin Patches

Test done: STS r32 TCs Passed.

Tracked-On: OAM-126589
Signed-off-by: AlamIntel <sahibex.alam@intel.com>

Author: AlamIntel

aosp_diff/preliminary/build/make/04_0004-Update-security_patch_level-string.patch

@@ -20,7 +20,7 @@ index 47bb92c142..2d0ac256a4 100644
      #  It must match one of the Android Security Patch Level strings of the Public Security Bulletins.
      #  If there is no $PLATFORM_SECURITY_PATCH set, keep it empty.
 -      PLATFORM_SECURITY_PATCH := 2022-02-05
-+      PLATFORM_SECURITY_PATCH := 2024-10-01
++      PLATFORM_SECURITY_PATCH := 2024-11-01
  endif
  .KATI_READONLY := PLATFORM_SECURITY_PATCH
 

aosp_diff/preliminary/external/skia/0001-RESTRICT-AUTOMERGE-Avoid-potential-overflow-when-allocating-3D.patch

@@ -0,0 +1,51 @@
+From def9e324366a15e7e53f092f6d2e4f190dda285e Mon Sep 17 00:00:00 2001
+From: Brian Osman <brianosman@google.com>
+Date: Tue, 27 Aug 2024 14:22:52 -0400
+Subject: [PATCH] RESTRICT AUTOMERGE: Avoid potential overflow when allocating
+ 3D mask from emboss filter
+
+Note: the original fix landed after
+Iac8b937e516dbfbbcefef54360dd5b7300bacb67 introduced SkMaskBuilder, so
+this cherry-pick had to be tweaked to avoid conflicts. Unfortuantely
+that means we need RESTRICT AUTOMERGE to prevent this modified version
+from flowing through API boundaries into VIC, and we need to manually
+cherry-pick it to each API level.
+
+Bug: 344620577
+Test: N/A -- unclear if even reachable
+Reviewed-on: https://skia-review.googlesource.com/c/skia/+/893738
+Commit-Queue: Brian Osman <brianosman@google.com>
+Reviewed-by: Ben Wagner <bungeman@google.com>
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2bc38734eec777bf2574d4b38a7fd4fc05f0ecde)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:69fc79acf3f05f269c55069ba5e2fbd00e1a76b6)
+Merged-In: Ia35860371d45120baca63238e77faa5c0eb25d51
+Change-Id: Ia35860371d45120baca63238e77faa5c0eb25d51
+---
+ src/effects/SkEmbossMaskFilter.cpp | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/effects/SkEmbossMaskFilter.cpp b/src/effects/SkEmbossMaskFilter.cpp
+index 73210a37b4..e465f69d11 100644
+--- a/src/effects/SkEmbossMaskFilter.cpp
++++ b/src/effects/SkEmbossMaskFilter.cpp
+@@ -96,11 +96,13 @@ bool SkEmbossMaskFilter::filterMask(SkMask* dst, const SkMask& src,
+ 
+     {
+         uint8_t* alphaPlane = dst->fImage;
+-        size_t   planeSize = dst->computeImageSize();
+-        if (0 == planeSize) {
+-            return false;   // too big to allocate, abort
++        size_t totalSize = dst->computeTotalImageSize();
++        if (totalSize == 0) {
++            return false;  // too big to allocate, abort
+         }
+-        dst->fImage = SkMask::AllocImage(planeSize * 3);
++        size_t planeSize = dst->computeImageSize();
++        SkASSERT(planeSize != 0);  // if totalSize didn't overflow, this can't either
++        dst->fImage = SkMask::AllocImage(totalSize);
+         memcpy(dst->fImage, alphaPlane, planeSize);
+         SkMask::FreeImage(alphaPlane);
+     }
+-- 
+2.46.1.824.gd892dcdcdd-goog
+

aosp_diff/preliminary/frameworks/base/99_0285-fix-Security-Report-Reveal-images-across-users-via-EditUserPh.bulletin.patch

@@ -0,0 +1,45 @@
+From e7bebdbf60e2a2ebf5db87847d96445f1607997d Mon Sep 17 00:00:00 2001
+From: Anna Bauza <annabauza@google.com>
+Date: Fri, 2 Aug 2024 09:06:32 +0000
+Subject: [PATCH] fix: Security Report - Reveal images across users via
+ EditUserPhotoController
+
+This functionality has implemented tests on t+ branches.
+
+Bug: 296915959
+Test: N/A
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ae74e70c36ec027dd55164880d8b7225be4c85a3)
+Merged-In: If79af734432b14be74815a47e1026dc8369a304f
+Change-Id: If79af734432b14be74815a47e1026dc8369a304f
+---
+ .../android/settingslib/users/EditUserPhotoController.java | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/packages/SettingsLib/src/com/android/settingslib/users/EditUserPhotoController.java b/packages/SettingsLib/src/com/android/settingslib/users/EditUserPhotoController.java
+index 0c6cd048619c..1c3dea71ad45 100644
+--- a/packages/SettingsLib/src/com/android/settingslib/users/EditUserPhotoController.java
++++ b/packages/SettingsLib/src/com/android/settingslib/users/EditUserPhotoController.java
+@@ -18,6 +18,7 @@ package com.android.settingslib.users;
+ 
+ import android.app.Activity;
+ import android.content.ClipData;
++import android.content.ContentProvider;
+ import android.content.ContentResolver;
+ import android.content.Context;
+ import android.content.Intent;
+@@ -140,6 +141,12 @@ public class EditUserPhotoController {
+             return false;
+         }
+ 
++        final int currentUserId = UserHandle.myUserId();
++        if (currentUserId != ContentProvider.getUserIdFromUri(pictureUri, currentUserId)) {
++            Log.e(TAG, "Invalid pictureUri: " + pictureUri);
++            return false;
++        }
++
+         switch (requestCode) {
+             case REQUEST_CODE_CROP_PHOTO:
+                 onPhotoCropped(pictureUri);
+-- 
+2.46.1.824.gd892dcdcdd-goog
+

aosp_diff/preliminary/frameworks/base/99_0286-Remove-authenticator-data-if-it-was-disabled-.bulletin.patch

@@ -0,0 +1,34 @@
+From 416bf4ce1c373c5389a0072d701d5f0903f3af73 Mon Sep 17 00:00:00 2001
+From: Dmitry Dementyev <dementyev@google.com>
+Date: Tue, 2 Jul 2024 11:02:07 -0700
+Subject: [PATCH] Remove authenticator data if it was disabled.
+
+Test: manual
+Bug: 343440463
+Flag: EXEMPT bugfix
+(cherry picked from commit ddfc078af7e89641360b896f99af23a6b371b847)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c2660dcf7fca3f652528d219767f65858bbbe622)
+Merged-In: I36bd6bf101da03c9c30a6d3c0080b801e7898bc6
+Change-Id: I36bd6bf101da03c9c30a6d3c0080b801e7898bc6
+---
+ .../com/android/server/accounts/AccountManagerService.java    | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
+index d55be44f62cd..36ffc40bf5f7 100644
+--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
+@@ -1171,6 +1171,10 @@ public class AccountManagerService
+                             obsoleteAuthType.add(type);
+                             // And delete it from the TABLE_META
+                             accountsDb.deleteMetaByAuthTypeAndUid(type, uid);
++                        } else if (knownUid != null && knownUid != uid) {
++                            Slog.w(TAG, "authenticator no longer exist for type " + type);
++                            obsoleteAuthType.add(type);
++                            accountsDb.deleteMetaByAuthTypeAndUid(type, uid);
+                         }
+                     }
+                 }
+-- 
+2.46.1.824.gd892dcdcdd-goog
+

aosp_diff/preliminary/frameworks/base/99_0288-Check-more-URIs-in-notifications.bulletin.patch

@@ -0,0 +1,183 @@
+From 3d87913569b4102bbbd3b3542f0d1104e7e3c13a Mon Sep 17 00:00:00 2001
+From: Ioana Alexandru <aioana@google.com>
+Date: Wed, 31 Jul 2024 13:46:30 +0000
+Subject: [PATCH] Check more URIs in notifications
+
+Bug: 281044385
+Test: presubmit + tested in current release
+
+(cherry picked from commit f47b41a138ebd60f7b518fb6a9d8aa8230488422,
+includes changes from commit 57bf60dd7b6a0a0e9785231f8ec25a458fedde64
+and commit 47fa2f79584b0a4e9ca7e9c6b237c4e5cf699032)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e6ed8a4bef3ec5a2517fc80ac88e2fc09b67c226)
+Merged-In: I1ce6bebd9452466d005505dc5b99a0fdc0e05e80
+Change-Id: I1ce6bebd9452466d005505dc5b99a0fdc0e05e80
+---
+ core/java/android/app/Notification.java   | 32 ++++++++++++-----------
+ core/java/android/app/Person.java         | 17 ++++++++++++
+ core/java/android/widget/RemoteViews.java | 23 ++++++++++++++++
+ 3 files changed, 57 insertions(+), 15 deletions(-)
+
+diff --git a/core/java/android/app/Notification.java b/core/java/android/app/Notification.java
+index ed8c6be73256..3aeb363b627b 100644
+--- a/core/java/android/app/Notification.java
++++ b/core/java/android/app/Notification.java
+@@ -2799,7 +2799,7 @@ public class Notification implements Parcelable
+             ArrayList<Person> people = extras.getParcelableArrayList(EXTRA_PEOPLE_LIST);
+             if (people != null && !people.isEmpty()) {
+                 for (Person p : people) {
+-                    visitor.accept(p.getIconUri());
++                    p.visitUris(visitor);
+                 }
+             }
+ 
+@@ -2818,19 +2818,14 @@ public class Notification implements Parcelable
+             // Notification Listeners might use directly (without the isStyle check).
+             final Person person = extras.getParcelable(EXTRA_MESSAGING_PERSON);
+             if (person != null) {
+-                visitor.accept(person.getIconUri());
++                person.visitUris(visitor);
+             }
+ 
+             final Parcelable[] messages = extras.getParcelableArray(EXTRA_MESSAGES);
+             if (!ArrayUtils.isEmpty(messages)) {
+                 for (MessagingStyle.Message message : MessagingStyle.Message
+                         .getMessagesFromBundleArray(messages)) {
+-                    visitor.accept(message.getDataUri());
+-
+-                    Person senderPerson = message.getSenderPerson();
+-                    if (senderPerson != null) {
+-                        visitor.accept(senderPerson.getIconUri());
+-                    }
++                    message.visitUris(visitor);
+                 }
+             }
+ 
+@@ -2838,12 +2833,7 @@ public class Notification implements Parcelable
+             if (!ArrayUtils.isEmpty(historic)) {
+                 for (MessagingStyle.Message message : MessagingStyle.Message
+                         .getMessagesFromBundleArray(historic)) {
+-                    visitor.accept(message.getDataUri());
+-
+-                    Person senderPerson = message.getSenderPerson();
+-                    if (senderPerson != null) {
+-                        visitor.accept(senderPerson.getIconUri());
+-                    }
++                    message.visitUris(visitor);
+                 }
+             }
+ 
+@@ -2852,7 +2842,7 @@ public class Notification implements Parcelable
+             // Extras for CallStyle (same reason for visiting without checking isStyle).
+             Person callPerson = extras.getParcelable(EXTRA_CALL_PERSON);
+             if (callPerson != null) {
+-                visitor.accept(callPerson.getIconUri());
++                callPerson.visitUris(visitor);
+             }
+             visitIconUri(visitor, extras.getParcelable(EXTRA_VERIFICATION_ICON));
+         }
+@@ -8557,6 +8547,18 @@ public class Notification implements Parcelable
+                 return bundles;
+             }
+ 
++            /**
++             * See {@link Notification#visitUris(Consumer)}.
++             *
++             * @hide
++             */
++            public void visitUris(@NonNull Consumer<Uri> visitor) {
++                visitor.accept(getDataUri());
++                if (mSender != null) {
++                    mSender.visitUris(visitor);
++                }
++            }
++
+             /**
+              * Returns a list of messages read from the given bundle list, e.g.
+              * {@link #EXTRA_MESSAGES} or {@link #EXTRA_HISTORIC_MESSAGES}.
+diff --git a/core/java/android/app/Person.java b/core/java/android/app/Person.java
+index 97a794d4e4ea..c7432c571e43 100644
+--- a/core/java/android/app/Person.java
++++ b/core/java/android/app/Person.java
+@@ -24,6 +24,7 @@ import android.os.Parcel;
+ import android.os.Parcelable;
+ 
+ import java.util.Objects;
++import java.util.function.Consumer;
+ 
+ /**
+  * Provides an immutable reference to an entity that appears repeatedly on different surfaces of the
+@@ -177,6 +178,22 @@ public final class Person implements Parcelable {
+         dest.writeBoolean(mIsBot);
+     }
+ 
++    /**
++     * Note all {@link Uri} that are referenced internally, with the expectation that Uri permission
++     * grants will need to be issued to ensure the recipient of this object is able to render its
++     * contents.
++     * See b/281044385 for more context and examples about what happens when this isn't done
++     * correctly.
++     *
++     * @hide
++     */
++    public void visitUris(@NonNull Consumer<Uri> visitor) {
++        visitor.accept(getIconUri());
++        if (mUri != null && !mUri.isEmpty()) {
++            visitor.accept(Uri.parse(mUri));
++        }
++    }
++
+     /** Builder for the immutable {@link Person} class. */
+     public static class Builder {
+         @Nullable private CharSequence mName;
+diff --git a/core/java/android/widget/RemoteViews.java b/core/java/android/widget/RemoteViews.java
+index cecfa08c6e20..0747308eb93a 100644
+--- a/core/java/android/widget/RemoteViews.java
++++ b/core/java/android/widget/RemoteViews.java
+@@ -934,6 +934,13 @@ public class RemoteViews implements Parcelable, Filter {
+             return SET_REMOTE_VIEW_ADAPTER_LIST_TAG;
+         }
+ 
++        @Override
++        public void visitUris(@NonNull Consumer<Uri> visitor) {
++            for (RemoteViews remoteViews : list) {
++                remoteViews.visitUris(visitor);
++            }
++        }
++
+         int viewTypeCount;
+         ArrayList<RemoteViews> list;
+     }
+@@ -1009,6 +1016,13 @@ public class RemoteViews implements Parcelable, Filter {
+         public int getActionTag() {
+             return SET_REMOTE_COLLECTION_ITEMS_ADAPTER_TAG;
+         }
++
++        @Override
++        public void visitUris(@NonNull Consumer<Uri> visitor) {
++            if (mItems != null) {
++              mItems.visitUris(visitor);
++            }
++        }
+     }
+ 
+     private class SetRemoteViewsAdapterIntent extends Action {
+@@ -6757,6 +6771,15 @@ public class RemoteViews implements Parcelable, Filter {
+                         Math.max(mViewTypeCount, 1));
+             }
+         }
++
++        /**
++         * See {@link RemoteViews#visitUris(Consumer)}.
++         */
++        private void visitUris(@NonNull Consumer<Uri> visitor) {
++            for (RemoteViews view : mViews) {
++                view.visitUris(visitor);
++            }
++        }
+     }
+ 
+     /**
+-- 
+2.46.1.824.gd892dcdcdd-goog
+

aosp_diff/preliminary/frameworks/base/99_0289-Set-no-data-transfer-on-function-switch-timeout-for-accessory-mo.bulletin.patch

@@ -0,0 +1,56 @@
+From 7441cc063cd4d223ff7e6678e353ea9d349d1d71 Mon Sep 17 00:00:00 2001
+From: Ashish Kumar Gupta <kumarashishg@google.com>
+Date: Wed, 31 Jul 2024 16:02:29 +0000
+Subject: [PATCH] Set no data transfer on function switch timeout for accessory
+ mode
+
+In case of function switch times out, we will check whether
+the last function set was accessory. If this is the case, it is
+recommended to set the function to NONE(No data transfer) rather than
+setting it to the default USB function.
+
+Bug: 353712853
+Test: Build the code, flash the device and test it.
+Test: atest CtsUsbManagerTestCases
+Test: run CtsVerifier tool
+Test: atest CtsUsbTests
+(cherry picked from commit 7c6ec68537ba8abf798afd9ab7c3e5889841171f)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b032a602cdad00687e1fe089d66a6c4fa6925d79)
+Merged-In: I698e9df0333cbb51dd9bd5917a94d81273a2784a
+Change-Id: I698e9df0333cbb51dd9bd5917a94d81273a2784a
+---
+ .../java/com/android/server/usb/UsbDeviceManager.java | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/services/usb/java/com/android/server/usb/UsbDeviceManager.java b/services/usb/java/com/android/server/usb/UsbDeviceManager.java
+index 2a5fd9e85d61..0d62e987523a 100644
+--- a/services/usb/java/com/android/server/usb/UsbDeviceManager.java
++++ b/services/usb/java/com/android/server/usb/UsbDeviceManager.java
+@@ -719,7 +719,7 @@ public class UsbDeviceManager implements ActivityTaskManagerInternal.ScreenObser
+             }
+         }
+ 
+-        private void notifyAccessoryModeExit() {
++        protected void notifyAccessoryModeExit() {
+             // make sure accessory mode is off
+             // and restore default functions
+             Slog.d(TAG, "exited USB accessory mode");
+@@ -1956,8 +1956,13 @@ public class UsbDeviceManager implements ActivityTaskManagerInternal.ScreenObser
+                      * Dont force to default when the configuration is already set to default.
+                      */
+                     if (msg.arg1 != 1) {
+-                        // Set this since default function may be selected from Developer options
+-                        setEnabledFunctions(mScreenUnlockedFunctions, false);
++                        if (mCurrentFunctions == UsbManager.FUNCTION_ACCESSORY) {
++                            notifyAccessoryModeExit();
++                        } else {
++                            // Set this since default function may be selected from Developer
++                            // options
++                            setEnabledFunctions(mScreenUnlockedFunctions, false);
++                        }
+                     }
+                     break;
+                 case MSG_GADGET_HAL_REGISTERED:
+-- 
+2.46.1.824.gd892dcdcdd-goog
+