From ee2191bfd0b51fa3ed164ce68c61d68108b60177 Mon Sep 17 00:00:00 2001 From: "Alam, SahibeX" Date: Wed, 23 Jul 2025 08:44:25 +0000 Subject: [PATCH] ASB AUG 2025 Security Patches integration Integrating Google Android Security Bulletin Patches Test done: STS r40 TCs Passed Tracked-On: OAM-133548 Signed-off-by: Alam, SahibeX --- ...LEASE_PLATFORM_SECURITY_PATCH-string.patch | 2 +- ...ys-load-new-ApplicationInfo-from-Pac.patch | 78 ++++++++ ...fo-in-RemoteViews-addAppWid.bulletin.patch | 47 +++++ ...splash-screen-while-device-is-locked.patch | 172 ++++++++++++++++++ 4 files changed, 298 insertions(+), 1 deletion(-) create mode 100644 aosp_diff/preliminary/frameworks/base/0018-RemoteViews-Always-load-new-ApplicationInfo-from-Pac.patch create mode 100644 aosp_diff/preliminary/frameworks/base/0019-Handle-exceptions-from-querying-appinfo-in-RemoteViews-addAppWid.bulletin.patch create mode 100644 aosp_diff/preliminary/frameworks/base/0020-Defer-remove-splash-screen-while-device-is-locked.patch diff --git a/aosp_diff/preliminary/build/release/0001-Update-RELEASE_PLATFORM_SECURITY_PATCH-string.patch b/aosp_diff/preliminary/build/release/0001-Update-RELEASE_PLATFORM_SECURITY_PATCH-string.patch index 21fc03196d..a6682ca368 100644 --- a/aosp_diff/preliminary/build/release/0001-Update-RELEASE_PLATFORM_SECURITY_PATCH-string.patch +++ b/aosp_diff/preliminary/build/release/0001-Update-RELEASE_PLATFORM_SECURITY_PATCH-string.patch @@ -20,7 +20,7 @@ index 4075b588..985e7b01 100644 name: "RELEASE_PLATFORM_SECURITY_PATCH" value: { - string_value: "2025-03-05" -+ string_value: "2025-06-01" ++ string_value: "2025-08-01" } -- 2.34.1 diff --git a/aosp_diff/preliminary/frameworks/base/0018-RemoteViews-Always-load-new-ApplicationInfo-from-Pac.patch b/aosp_diff/preliminary/frameworks/base/0018-RemoteViews-Always-load-new-ApplicationInfo-from-Pac.patch new file mode 100644 index 0000000000..a54364365d --- /dev/null +++ b/aosp_diff/preliminary/frameworks/base/0018-RemoteViews-Always-load-new-ApplicationInfo-from-Pac.patch @@ -0,0 +1,78 @@ +From ab7f9ce2684be11aa23b6e2bf4b6777f5190a557 Mon Sep 17 00:00:00 2001 +From: Zak Cohen +Date: Fri, 17 Jan 2025 15:16:13 -0800 +Subject: [PATCH] RemoteViews - Always load new ApplicationInfo from + PackageManager. + +Always load ApplicationInfo object needed for RemoteViews Contexts directly +from PackageManager. The key used is the package name. + +Previously this object was read from the RemoteViews bundle, which was +provided by the Widget providing app, and this object could not be relied +on to have accurate data fields. + +Bug: 376028556 +Flag: EXEMPT Security Fix +Test: atest CtsWidgetTestCases:RemoteViewsActivityTest#testApplicationInfo +Change-Id: Ie263b51fd2c2bdbf9d622533bb3f77d9f3f7181e +(cherry picked from commit 352fb4821076f0209ab2092d53444503dcec8992) +Merged-In: Ie263b51fd2c2bdbf9d622533bb3f77d9f3f7181e +--- + core/java/android/appwidget/AppWidgetHostView.java | 4 ---- + core/java/android/widget/RemoteViews.java | 11 ++++++++--- + 2 files changed, 8 insertions(+), 7 deletions(-) + +diff --git a/core/java/android/appwidget/AppWidgetHostView.java b/core/java/android/appwidget/AppWidgetHostView.java +index df1028e9e04c..b9b5c6a8bbc3 100644 +--- a/core/java/android/appwidget/AppWidgetHostView.java ++++ b/core/java/android/appwidget/AppWidgetHostView.java +@@ -20,7 +20,6 @@ import android.annotation.NonNull; + import android.annotation.Nullable; + import android.app.Activity; + import android.app.ActivityOptions; +-import android.app.LoadedApk; + import android.compat.annotation.UnsupportedAppUsage; + import android.content.ComponentName; + import android.content.Context; +@@ -753,9 +752,6 @@ public class AppWidgetHostView extends FrameLayout implements AppWidgetHost.AppW + */ + protected Context getRemoteContextEnsuringCorrectCachedApkPath() { + try { +- ApplicationInfo expectedAppInfo = mInfo.providerInfo.applicationInfo; +- LoadedApk.checkAndUpdateApkPaths(expectedAppInfo); +- // Return if cloned successfully, otherwise default + Context newContext = mContext.createApplicationContext( + mInfo.providerInfo.applicationInfo, + Context.CONTEXT_RESTRICTED); +diff --git a/core/java/android/widget/RemoteViews.java b/core/java/android/widget/RemoteViews.java +index 9fe3fd6ddc1a..e7fa80f3e11d 100644 +--- a/core/java/android/widget/RemoteViews.java ++++ b/core/java/android/widget/RemoteViews.java +@@ -44,7 +44,6 @@ import android.app.Activity; + import android.app.ActivityOptions; + import android.app.ActivityThread; + import android.app.Application; +-import android.app.LoadedApk; + import android.app.PendingIntent; + import android.app.RemoteInput; + import android.appwidget.AppWidgetHostView; +@@ -8479,8 +8478,14 @@ public class RemoteViews implements Parcelable, Filter { + return context; + } + try { +- LoadedApk.checkAndUpdateApkPaths(mApplication); +- Context applicationContext = context.createApplicationContext(mApplication, ++ // Use PackageManager as the source of truth for application information, rather ++ // than the parceled ApplicationInfo provided by the app. ++ ApplicationInfo sanitizedApplication = ++ context.getPackageManager().getApplicationInfoAsUser( ++ mApplication.packageName, 0, ++ UserHandle.getUserId(mApplication.uid)); ++ Context applicationContext = context.createApplicationContext( ++ sanitizedApplication, + Context.CONTEXT_RESTRICTED); + // Get the correct apk paths while maintaining the current context's configuration. + return applicationContext.createConfigurationContext( +-- +2.34.1 + diff --git a/aosp_diff/preliminary/frameworks/base/0019-Handle-exceptions-from-querying-appinfo-in-RemoteViews-addAppWid.bulletin.patch b/aosp_diff/preliminary/frameworks/base/0019-Handle-exceptions-from-querying-appinfo-in-RemoteViews-addAppWid.bulletin.patch new file mode 100644 index 0000000000..5922db78b4 --- /dev/null +++ b/aosp_diff/preliminary/frameworks/base/0019-Handle-exceptions-from-querying-appinfo-in-RemoteViews-addAppWid.bulletin.patch @@ -0,0 +1,47 @@ +From 1e9f4e8998cc934699405bbe0779b706cfb43905 Mon Sep 17 00:00:00 2001 +From: Sunny Goyal +Date: Thu, 13 Feb 2025 09:49:26 -0800 +Subject: [PATCH] Handle exceptions from querying appinfo in + RemoteViews#addAppWidget. + +Host process may not have access to the ApplicationInfo directly in some cases + +Bug: 395168279 +Change-Id: Ic26d63acea5f227b56d44bc2e417f7b189f0d2f2 +Test: Manual +Flag: EXEMPT bugfix +(cherry picked from commit 37bf5823504f2a256f128123393cd149721b87fc) +--- + core/java/android/widget/RemoteViews.java | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/core/java/android/widget/RemoteViews.java b/core/java/android/widget/RemoteViews.java +index 7bf058a3ba1e..c26d9f4c02d7 100644 +--- a/core/java/android/widget/RemoteViews.java ++++ b/core/java/android/widget/RemoteViews.java +@@ -6553,12 +6553,16 @@ public class RemoteViews implements Parcelable, Filter { + return context; + } + try { +- // Use PackageManager as the source of truth for application information, rather +- // than the parceled ApplicationInfo provided by the app. +- ApplicationInfo sanitizedApplication = +- context.getPackageManager().getApplicationInfoAsUser( +- mApplication.packageName, 0, +- UserHandle.getUserId(mApplication.uid)); ++ ApplicationInfo sanitizedApplication = mApplication; ++ try { ++ // Use PackageManager as the source of truth for application information, rather ++ // than the parceled ApplicationInfo provided by the app. ++ sanitizedApplication = context.getPackageManager().getApplicationInfoAsUser( ++ mApplication.packageName, 0, UserHandle.getUserId(mApplication.uid)); ++ } catch(SecurityException se) { ++ Log.d(LOG_TAG, "Unable to fetch appInfo for " + mApplication.packageName); ++ } ++ + Context applicationContext = context.createApplicationContext( + sanitizedApplication, + Context.CONTEXT_RESTRICTED); +-- +2.50.0.rc0.604.gd4ff7b7c86-goog + diff --git a/aosp_diff/preliminary/frameworks/base/0020-Defer-remove-splash-screen-while-device-is-locked.patch b/aosp_diff/preliminary/frameworks/base/0020-Defer-remove-splash-screen-while-device-is-locked.patch new file mode 100644 index 0000000000..56f08d2cea --- /dev/null +++ b/aosp_diff/preliminary/frameworks/base/0020-Defer-remove-splash-screen-while-device-is-locked.patch @@ -0,0 +1,172 @@ +From 0f3219b2ffd7a834b96cff0e84a5f3fa97d310da Mon Sep 17 00:00:00 2001 +From: wilsonshih +Date: Tue, 31 Dec 2024 08:25:26 +0000 +Subject: [PATCH] Defer remove splash screen while device is locked + +...and activity does not request showWhenLocked. +The splash screen won't contains secure information, so it's safe to +declared as showWhenLocked. But before remove starting window, if the +activity does not request showWhenLocked and device is locked, try to +trigger unoccluding animation, and keep app window hide until transition +animation finish. + +Bug: 378088391 +Bug: 383131643 +Test: run simulate app repeatly, verify the app content won't be visible +during transition animation. + +Merged-In: Ia2ddece125521eefb15d67e22ea863dfae6af112 +Change-Id: Ia2ddece125521eefb15d67e22ea863dfae6af112 +--- + .../com/android/server/wm/ActivityRecord.java | 24 +++++++++++++++++++ + .../com/android/server/wm/StartingData.java | 7 ++++++ + .../com/android/server/wm/Transition.java | 9 +++++++ + .../com/android/server/wm/WindowState.java | 15 ++++++++++++ + 4 files changed, 55 insertions(+) + +diff --git a/services/core/java/com/android/server/wm/ActivityRecord.java b/services/core/java/com/android/server/wm/ActivityRecord.java +index 3b582924ec96..88d0ad67fb21 100644 +--- a/services/core/java/com/android/server/wm/ActivityRecord.java ++++ b/services/core/java/com/android/server/wm/ActivityRecord.java +@@ -230,6 +230,7 @@ import static com.android.server.wm.IdentifierProto.USER_ID; + import static com.android.server.wm.StartingData.AFTER_TRANSACTION_COPY_TO_CLIENT; + import static com.android.server.wm.StartingData.AFTER_TRANSACTION_IDLE; + import static com.android.server.wm.StartingData.AFTER_TRANSACTION_REMOVE_DIRECTLY; ++import static com.android.server.wm.StartingData.AFTER_TRANSITION_FINISH; + import static com.android.server.wm.SurfaceAnimator.ANIMATION_TYPE_APP_TRANSITION; + import static com.android.server.wm.SurfaceAnimator.ANIMATION_TYPE_PREDICT_BACK; + import static com.android.server.wm.SurfaceAnimator.ANIMATION_TYPE_WINDOW_ANIMATION; +@@ -2809,9 +2810,28 @@ final class ActivityRecord extends WindowToken implements WindowManagerService.A + attachStartingSurfaceToAssociatedTask(); + } + ++ /** ++ * If the device is locked and the app does not request showWhenLocked, ++ * defer removing the starting window until the transition is complete. ++ * This prevents briefly appearing the app context and causing secure concern. ++ */ ++ void deferStartingWindowRemovalForKeyguardUnoccluding() { ++ if (mStartingData != null ++ && mStartingData.mRemoveAfterTransaction != AFTER_TRANSITION_FINISH ++ && isKeyguardLocked() && !canShowWhenLockedInner(this) && !isVisibleRequested() ++ && mTransitionController.inTransition(this)) { ++ mStartingData.mRemoveAfterTransaction = AFTER_TRANSITION_FINISH; ++ } ++ } ++ + void removeStartingWindow() { + boolean prevEligibleForLetterboxEducation = isEligibleForLetterboxEducation(); + ++ if (mStartingData != null ++ && mStartingData.mRemoveAfterTransaction == AFTER_TRANSITION_FINISH) { ++ return; ++ } ++ + if (transferSplashScreenIfNeeded()) { + return; + } +@@ -4657,6 +4677,10 @@ final class ActivityRecord extends WindowToken implements WindowManagerService.A + } + } + ++ if (mStartingData.mRemoveAfterTransaction == AFTER_TRANSITION_FINISH) { ++ mStartingData.mRemoveAfterTransaction = AFTER_TRANSACTION_IDLE; ++ } ++ + ProtoLog.v(WM_DEBUG_ADD_REMOVE, + "Removing starting %s from %s", tStartingWindow, fromActivity); + mTransitionController.collect(tStartingWindow); +diff --git a/services/core/java/com/android/server/wm/StartingData.java b/services/core/java/com/android/server/wm/StartingData.java +index 896612d3d27a..282637dede7e 100644 +--- a/services/core/java/com/android/server/wm/StartingData.java ++++ b/services/core/java/com/android/server/wm/StartingData.java +@@ -31,11 +31,18 @@ public abstract class StartingData { + static final int AFTER_TRANSACTION_REMOVE_DIRECTLY = 1; + /** Do copy splash screen to client after transaction done. */ + static final int AFTER_TRANSACTION_COPY_TO_CLIENT = 2; ++ /** ++ * Remove the starting window after transition finish. ++ * Used when activity doesn't request show when locked, so the app window should never show to ++ * the user if device is locked. ++ **/ ++ static final int AFTER_TRANSITION_FINISH = 3; + + @IntDef(prefix = { "AFTER_TRANSACTION" }, value = { + AFTER_TRANSACTION_IDLE, + AFTER_TRANSACTION_REMOVE_DIRECTLY, + AFTER_TRANSACTION_COPY_TO_CLIENT, ++ AFTER_TRANSITION_FINISH, + }) + @interface AfterTransaction {} + +diff --git a/services/core/java/com/android/server/wm/Transition.java b/services/core/java/com/android/server/wm/Transition.java +index 1fc609b7d03a..dcced3ddbde7 100644 +--- a/services/core/java/com/android/server/wm/Transition.java ++++ b/services/core/java/com/android/server/wm/Transition.java +@@ -73,6 +73,8 @@ import static com.android.server.wm.ActivityTaskManagerInternal.APP_TRANSITION_W + import static com.android.server.wm.SurfaceAnimator.ANIMATION_TYPE_PREDICT_BACK; + import static com.android.server.wm.WindowContainer.AnimationFlags.PARENTS; + import static com.android.server.wm.WindowState.BLAST_TIMEOUT_DURATION; ++import static com.android.server.wm.StartingData.AFTER_TRANSACTION_IDLE; ++import static com.android.server.wm.StartingData.AFTER_TRANSITION_FINISH; + import static com.android.window.flags.Flags.enableDisplayFocusInShellTransitions; + + import android.annotation.IntDef; +@@ -1377,6 +1379,13 @@ class Transition implements BLASTSyncEngine.TransactionReadyListener { + enterAutoPip = true; + } + } ++ ++ if (ar.mStartingData != null && ar.mStartingData.mRemoveAfterTransaction ++ == AFTER_TRANSITION_FINISH ++ && (!ar.isVisible() || !ar.mTransitionController.inTransition(ar))) { ++ ar.mStartingData.mRemoveAfterTransaction = AFTER_TRANSACTION_IDLE; ++ ar.removeStartingWindow(); ++ } + final ChangeInfo changeInfo = mChanges.get(ar); + // Due to transient-hide, there may be some activities here which weren't in the + // transition. +diff --git a/services/core/java/com/android/server/wm/WindowState.java b/services/core/java/com/android/server/wm/WindowState.java +index cebe790bb1b9..3fa1130d86a3 100644 +--- a/services/core/java/com/android/server/wm/WindowState.java ++++ b/services/core/java/com/android/server/wm/WindowState.java +@@ -126,6 +126,7 @@ import static com.android.server.wm.IdentifierProto.USER_ID; + import static com.android.server.wm.MoveAnimationSpecProto.DURATION_MS; + import static com.android.server.wm.MoveAnimationSpecProto.FROM; + import static com.android.server.wm.MoveAnimationSpecProto.TO; ++import static com.android.server.wm.StartingData.AFTER_TRANSITION_FINISH; + import static com.android.server.wm.SurfaceAnimator.ANIMATION_TYPE_ALL; + import static com.android.server.wm.SurfaceAnimator.ANIMATION_TYPE_APP_TRANSITION; + import static com.android.server.wm.SurfaceAnimator.ANIMATION_TYPE_STARTING_REVEAL; +@@ -1920,6 +1921,13 @@ class WindowState extends WindowContainer implements WindowManagerP + } + final ActivityRecord atoken = mActivityRecord; + if (atoken != null) { ++ if (atoken.mStartingData != null && mAttrs.type != TYPE_APPLICATION_STARTING ++ && atoken.mStartingData.mRemoveAfterTransaction ++ == AFTER_TRANSITION_FINISH) { ++ // Preventing app window from visible during un-occluding animation playing due to ++ // alpha blending. ++ return false; ++ } + final boolean isVisible = isStartingWindowAssociatedToTask() + ? mStartingData.mAssociatedTask.isVisible() : atoken.isVisible(); + return ((!isParentWindowHidden() && isVisible) +@@ -2925,7 +2933,14 @@ class WindowState extends WindowContainer implements WindowManagerP + final int mask = FLAG_SHOW_WHEN_LOCKED | FLAG_DISMISS_KEYGUARD + | FLAG_ALLOW_LOCK_WHILE_SCREEN_ON; + WindowManager.LayoutParams sa = mActivityRecord.mStartingWindow.mAttrs; ++ final boolean wasShowWhenLocked = (sa.flags & FLAG_SHOW_WHEN_LOCKED) != 0; ++ final boolean removeShowWhenLocked = (mAttrs.flags & FLAG_SHOW_WHEN_LOCKED) == 0; + sa.flags = (sa.flags & ~mask) | (mAttrs.flags & mask); ++ if (wasShowWhenLocked && removeShowWhenLocked) { ++ // Trigger unoccluding animation if needed. ++ mActivityRecord.checkKeyguardFlagsChanged(); ++ mActivityRecord.deferStartingWindowRemovalForKeyguardUnoccluding(); ++ } + } + } + +-- +2.34.1 +