ASB MAR 2025 Security Patches integration

Integrating Google Android Security Bulletin Patches.

Test done: STS r36 TCs Passed

Tracked-On: OAM-130552
Signed-off-by: Alam, Sahibex <sahibex.alam@intel.com>

aosp_diff/preliminary/build/make/0004-Update-security_patch_level-string.patch

@@ -20,7 +20,7 @@ index 419ff1aadc..fbbe777754 100644
      #  It must match one of the Android Security Patch Level strings of the Public Security Bulletins.
      #  If there is no $PLATFORM_SECURITY_PATCH set, keep it empty.
 -    PLATFORM_SECURITY_PATCH := 2023-05-05
-+    PLATFORM_SECURITY_PATCH := 2025-02-01
++    PLATFORM_SECURITY_PATCH := 2025-03-01
  endif
 
  include $(BUILD_SYSTEM)/version_util.mk

aosp_diff/preliminary/external/dng_sdk/0001-Catch-null-HuffmanTables-when-decoding-jpeg.bulletin.patch

@@ -0,0 +1,33 @@
+From ee3f2ff4c3e1d737b409c87866decc29a321d7c7 Mon Sep 17 00:00:00 2001
+From: Nick Chusid <nchusid@google.com>
+Date: Tue, 10 Dec 2024 22:46:28 +0000
+Subject: [PATCH] Catch null HuffmanTables when decoding jpeg
+
+Bug: 347735428
+Test: TreeHugger
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a22d1f0f07d998a53dd49a941d3a588f55b36399)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c506235a45be1c7c9f1a836495417d78f8718028)
+Merged-In: Iaf36c076467d18e4e31d8436a6d199c3276a8786
+Change-Id: Iaf36c076467d18e4e31d8436a6d199c3276a8786
+---
+ source/dng_lossless_jpeg.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/source/dng_lossless_jpeg.cpp b/source/dng_lossless_jpeg.cpp
+index 9d0d01a..8802f32 100644
+--- a/source/dng_lossless_jpeg.cpp
++++ b/source/dng_lossless_jpeg.cpp
+@@ -1616,6 +1616,10 @@ inline int32 dng_lossless_decoder::get_bit ()
+ inline int32 dng_lossless_decoder::HuffDecode (HuffmanTable *htbl)
+ 	{
+
++	if (htbl == nullptr) {
++		ThrowBadFormat ();
++	}
++
+     // If the huffman code is less than 8 bits, we can use the fast
+     // table lookup to get its value.  It's more than 8 bits about
+     // 3-4% of the time.
+-- 
+2.48.1.262.g85cc9f2d1e-goog
+

aosp_diff/preliminary/frameworks/base/99_0236-DO-NOT-MERGE-Hide-Android-data-obb-sanbox-on-shared-.patch

@@ -0,0 +1,106 @@
+From cec67a1f90d6f7cdb120743e408c7c7ee34ce66d Mon Sep 17 00:00:00 2001
+From: Sergey Nikolaienkov <sergeynv@google.com>
+Date: Sat, 1 Jul 2023 16:03:56 +0200
+Subject: [PATCH] DO NOT MERGE: "Hide" /Android/data|obb|sanbox/ on shared
+ storage
+
+Implement shouldHideDocument() in the ExternalStorageProvider so that it
+resitcts access to 'Android/data/', 'Android/obb/' and 'Android/sandbox'
+on the integrated shared storage along with all their content and
+subdirectories.
+
+Clean up the abstract FileSystemProvider, specifically all variants of
+queryChildDocuments().
+
+Bug: 200034476
+Bug: 220066255
+Bug: 283962634
+Test: make & flash systemimage, run manually
+Test: atest ExternalStorageProviderTests
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:131e73e1b3839111463aae26bae1b3db6782eb38)
+Merged-In: I48c2ce7ff2d7fc067961ea2af0ea63818316f086
+Change-Id: I48c2ce7ff2d7fc067961ea2af0ea63818316f086
+---
+ .../ExternalStorageProvider.java              | 28 +++++++++++++++++--
+ 1 file changed, 26 insertions(+), 2 deletions(-)
+
+diff --git a/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java b/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java
+index defbc1142adb..b34ce0a18325 100644
+--- a/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java
++++ b/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java
+@@ -16,6 +16,8 @@
+
+ package com.android.externalstorage;
+
++import static java.util.regex.Pattern.CASE_INSENSITIVE;
++
+ import android.annotation.NonNull;
+ import android.annotation.Nullable;
+ import android.app.usage.StorageStatsManager;
+@@ -67,6 +69,7 @@ import java.util.List;
+ import java.util.Locale;
+ import java.util.Objects;
+ import java.util.UUID;
++import java.util.regex.Pattern;
+ import java.util.stream.Collectors;
+
+ /**
+@@ -94,6 +97,13 @@ public class ExternalStorageProvider extends FileSystemProvider {
+
+     private static final String STORAGE_PATH = "/storage/";
+
++    /**
++     * Regex for detecting {@code /Android/data/}, {@code /Android/obb/} and
++     * {@code /Android/sandbox/} along with all their subdirectories and content.
++     */
++    private static final Pattern PATTERN_RESTRICTED_ANDROID_SUBTREES =
++            Pattern.compile("^Android/(?:data|obb|sandbox)(?:/.+)?", CASE_INSENSITIVE);
++
+     private static final String[] DEFAULT_ROOT_PROJECTION = new String[] {
+             Root.COLUMN_ROOT_ID, Root.COLUMN_FLAGS, Root.COLUMN_ICON, Root.COLUMN_TITLE,
+             Root.COLUMN_DOCUMENT_ID, Root.COLUMN_AVAILABLE_BYTES, Root.COLUMN_QUERY_ARGS
+@@ -307,13 +317,16 @@ public class ExternalStorageProvider extends FileSystemProvider {
+             return false;
+         }
+
+-        try {
++        final String path = getPathFromDocId(documentId);
++        return PATTERN_RESTRICTED_ANDROID_SUBTREES.matcher(path).matches();
++
++       /* try {
+             final RootInfo root = getRootFromDocId(documentId);
+             final String canonicalPath = getPathFromDocId(documentId);
+             return isRestrictedPath(root.rootId, canonicalPath);
+         } catch (Exception e) {
+             return true;
+-        }
++        }*/
+     }
+
+     /**
+@@ -634,6 +647,13 @@ public class ExternalStorageProvider extends FileSystemProvider {
+         return result;
+     }
+
++    /**
++     * Print the state into the given stream.
++     * Gets invoked when you run:
++     * <pre>
++     * adb shell dumpsys activity provider com.android.externalstorage/.ExternalStorageProvider
++     * </pre>
++     */
+     @Override
+     public Path findDocumentPath(@Nullable String parentDocId, String childDocId)
+             throws FileNotFoundException {
+@@ -835,4 +855,8 @@ public class ExternalStorageProvider extends FileSystemProvider {
+     private static boolean equalIgnoringCase(@NonNull String a, @NonNull String b) {
+         return TextUtils.equals(a.toLowerCase(Locale.ROOT), b.toLowerCase(Locale.ROOT));
+     }
++
++    private static boolean equalIgnoringCase(@NonNull String a, @NonNull String b) {
++        return TextUtils.equals(a.toLowerCase(Locale.ROOT), b.toLowerCase(Locale.ROOT));
++    }
+ }
+-- 
+2.34.1
+

aosp_diff/preliminary/frameworks/base/99_0237-Restrict-access-to-directories.patch

@@ -0,0 +1,78 @@
+From bbfb5f279aa5c0986cbd51f6ab217bb56f0a49d5 Mon Sep 17 00:00:00 2001
+From: Dipankar Bhardwaj <dipankarb@google.com>
+Date: Wed, 21 Aug 2024 14:26:50 +0000
+Subject: [PATCH] Restrict access to directories
+
+Restricted access to Android/data, Android/obb and Android/sandbox
+directories and its sub-directories. Replacing path's pattern match
+check with file equality check.
+
+Test: atest DocumentsClientTest
+Bug: 341680936
+Flag: EXEMPT bug fix
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:18a5a8395f301b77474ee377e38fd1aa4996036d)
+Merged-In: I8879900e57e1702d11797b81e86d0cc3f55bac22
+Change-Id: I8879900e57e1702d11797b81e86d0cc3f55bac22
+---
+ .../ExternalStorageProvider.java              | 19 +++++--------------
+ 1 file changed, 5 insertions(+), 14 deletions(-)
+
+diff --git a/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java b/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java
+index b34ce0a18325..64a4eb2f858f 100644
+--- a/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java
++++ b/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java
+@@ -16,8 +16,6 @@
+
+ package com.android.externalstorage;
+
+-import static java.util.regex.Pattern.CASE_INSENSITIVE;
+-
+ import android.annotation.NonNull;
+ import android.annotation.Nullable;
+ import android.app.usage.StorageStatsManager;
+@@ -69,7 +67,6 @@ import java.util.List;
+ import java.util.Locale;
+ import java.util.Objects;
+ import java.util.UUID;
+-import java.util.regex.Pattern;
+ import java.util.stream.Collectors;
+
+ /**
+@@ -97,12 +94,9 @@ public class ExternalStorageProvider extends FileSystemProvider {
+
+     private static final String STORAGE_PATH = "/storage/";
+
+-    /**
+-     * Regex for detecting {@code /Android/data/}, {@code /Android/obb/} and
+-     * {@code /Android/sandbox/} along with all their subdirectories and content.
+-     */
+-    private static final Pattern PATTERN_RESTRICTED_ANDROID_SUBTREES =
+-            Pattern.compile("^Android/(?:data|obb|sandbox)(?:/.+)?", CASE_INSENSITIVE);
++    private static final String PRIMARY_EMULATED_STORAGE_PATH = "/storage/emulated/";
++
++    private static final String STORAGE_PATH = "/storage/";
+
+     private static final String[] DEFAULT_ROOT_PROJECTION = new String[] {
+             Root.COLUMN_ROOT_ID, Root.COLUMN_FLAGS, Root.COLUMN_ICON, Root.COLUMN_TITLE,
+@@ -317,16 +311,13 @@ public class ExternalStorageProvider extends FileSystemProvider {
+             return false;
+         }
+
+-        final String path = getPathFromDocId(documentId);
+-        return PATTERN_RESTRICTED_ANDROID_SUBTREES.matcher(path).matches();
+-
+-       /* try {
++       try {
+             final RootInfo root = getRootFromDocId(documentId);
+             final String canonicalPath = getPathFromDocId(documentId);
+             return isRestrictedPath(root.rootId, canonicalPath);
+         } catch (Exception e) {
+             return true;
+-        }*/
++        }
+     }
+
+     /**
+-- 
+2.34.1
+

aosp_diff/preliminary/frameworks/base/99_0238-Resolve-cross-account-user-icon-validation-.bulletin.patch

@@ -0,0 +1,88 @@
+From 71a03fd10e222b6ed5f540f8cc5272a73bd85a57 Mon Sep 17 00:00:00 2001
+From: Pranav Madapurmath <pmadapurmath@google.com>
+Date: Thu, 2 Jan 2025 14:58:50 -0800
+Subject: [PATCH] Resolve cross account user icon validation.
+
+Resolves a vulnerability found with the cross account user icon
+validation in StatusHint and TelecomServiceImpl (when registering a
+phone account). The reporter found that an uri formatted as `userId%`
+isn't parsed properly with the existing reference to Uri.encodedUserInfo.
+
+Bug: 376461551
+Bug: 376259166
+Flag: EXEMPT bugfix
+Test: atest TelecomServiceImplTest
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:81c9a17787743df280adac58ab5f74c084d058e1)
+Merged-In: I25614ead889501f4553ed2b42b366e09a47b0c9f
+Change-Id: I25614ead889501f4553ed2b42b366e09a47b0c9f
+---
+ .../java/android/telecom/StatusHints.java     | 34 +++++++++++++++----
+ 1 file changed, 28 insertions(+), 6 deletions(-)
+
+diff --git a/telecomm/java/android/telecom/StatusHints.java b/telecomm/java/android/telecom/StatusHints.java
+index 5f0c8d729e74..31b84ff04b85 100644
+--- a/telecomm/java/android/telecom/StatusHints.java
++++ b/telecomm/java/android/telecom/StatusHints.java
+@@ -27,6 +27,7 @@ import android.os.Bundle;
+ import android.os.Parcel;
+ import android.os.Parcelable;
+ import android.os.UserHandle;
++import android.util.Log;
+
+ import com.android.internal.annotations.VisibleForTesting;
+
+@@ -40,6 +41,7 @@ public final class StatusHints implements Parcelable {
+     private final CharSequence mLabel;
+     private Icon mIcon;
+     private final Bundle mExtras;
++    private static final String TAG = StatusHints.class.getSimpleName();
+
+     /**
+      * @hide
+@@ -150,17 +152,37 @@ public final class StatusHints implements Parcelable {
+         // incompatible types.
+         if (icon != null && (icon.getType() == Icon.TYPE_URI
+                 || icon.getType() == Icon.TYPE_URI_ADAPTIVE_BITMAP)) {
+-            String encodedUser = icon.getUri().getEncodedUserInfo();
+-            // If there is no encoded user, the URI is calling into the calling user space
+-            if (encodedUser != null) {
+-                int userId = Integer.parseInt(encodedUser);
+-                // Do not try to save the icon if the user id isn't in the calling user space.
+-                if (userId != callingUserHandle.getIdentifier()) return null;
++            int callingUserId = callingUserHandle.getIdentifier();
++            int requestingUserId = getUserIdFromAuthority(
++                    icon.getUri().getAuthority(), callingUserId);
++            if (callingUserId != requestingUserId) {
++                return null;
+             }
++
+         }
+         return icon;
+     }
+
++    /**
++     * Derives the user id from the authority or the default user id if none could be found.
++     * @param auth
++     * @param defaultUserId
++     * @return The user id from the given authority.
++     * @hide
++     */
++    public static int getUserIdFromAuthority(String auth, int defaultUserId) {
++        if (auth == null) return defaultUserId;
++        int end = auth.lastIndexOf('@');
++        if (end == -1) return defaultUserId;
++        String userIdString = auth.substring(0, end);
++        try {
++            return Integer.parseInt(userIdString);
++        } catch (NumberFormatException e) {
++            Log.w(TAG, "Error parsing userId." + e);
++            return UserHandle.USER_NULL;
++        }
++    }
++
+     @Override
+     public void writeToParcel(Parcel out, int flags) {
+         out.writeCharSequence(mLabel);
+-- 
+2.48.1.262.g85cc9f2d1e-goog
+

aosp_diff/preliminary/frameworks/base/99_0239-Check-account-type-returned-by-AbstractAccountAuthenticator-.bulletin.patch

@@ -0,0 +1,41 @@
+From 5f3837ea2375add2320ae10f940363b8262db9df Mon Sep 17 00:00:00 2001
+From: Dmitry Dementyev <dementyev@google.com>
+Date: Thu, 19 Dec 2024 11:02:42 -0800
+Subject: [PATCH] Check account type returned by AbstractAccountAuthenticator.
+
+AccountManagerService already knows which account is used during
+AbstractAccountAuthenticator.getAuthToken.
+
+KEY_ACCOUNT_NAME and KEY_ACCOUNT_TYPE in the response look unnecessary,
+but we can't change API at this moment.
+
+Bug: 364269936
+Test: manual
+Flag: EXEMPT bugfix
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1ab5ce4282ba251bd7e6904c4a7fae1f7a209990)
+Merged-In: Ifc62866f4feaca43abc32bc542b97f3741953f56
+Change-Id: Ifc62866f4feaca43abc32bc542b97f3741953f56
+---
+ .../com/android/server/accounts/AccountManagerService.java  | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
+index 70f66cae50f0..847806a0b4f9 100644
+--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
+@@ -3073,6 +3073,12 @@ public class AccountManagerService
+                                         "the type and name should not be empty");
+                                 return;
+                             }
++                            if (!type.equals(mAccountType)) {
++                                onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
++                                        "incorrect account type");
++                                return;
++                            }
++
+                             Account resultAccount = new Account(name, type);
+                             if (!customTokens) {
+                                 saveAuthTokenToDatabase(
+-- 
+2.48.1.262.g85cc9f2d1e-goog
+