projectceladon · AlamIntel · Mar 1, 2025
diff --git a/aosp_diff/preliminary/build/make/04_0004-Update-security_patch_level-string.patch b/aosp_diff/preliminary/build/make/04_0004-Update-security_patch_level-string.patch
@@ -20,7 +20,7 @@ index 47bb92c142..2d0ac256a4 100644
      #  It must match one of the Android Security Patch Level strings of the Public Security Bulletins.
      #  If there is no $PLATFORM_SECURITY_PATCH set, keep it empty.
 -      PLATFORM_SECURITY_PATCH := 2022-02-05
-+      PLATFORM_SECURITY_PATCH := 2025-02-01
++      PLATFORM_SECURITY_PATCH := 2025-03-01
  endif
  .KATI_READONLY := PLATFORM_SECURITY_PATCH
 

diff --git a/...liminary/external/dng_sdk/0001-Catch-null-HuffmanTables-when-decoding-jpeg.bulletin.patch b/...liminary/external/dng_sdk/0001-Catch-null-HuffmanTables-when-decoding-jpeg.bulletin.patch
@@ -0,0 +1,32 @@
+From 60d501a8adb5118aa57733a527185a626f0b745d Mon Sep 17 00:00:00 2001
+From: Nick Chusid <nchusid@google.com>
+Date: Tue, 10 Dec 2024 22:46:28 +0000
+Subject: [PATCH] Catch null HuffmanTables when decoding jpeg
+
+Bug: 347735428
+Test: TreeHugger
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:caa282a34ca505eef317c3f3eb7cac83771f357c)
+Merged-In: Iaf36c076467d18e4e31d8436a6d199c3276a8786
+Change-Id: Iaf36c076467d18e4e31d8436a6d199c3276a8786
+---
+ source/dng_lossless_jpeg.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/source/dng_lossless_jpeg.cpp b/source/dng_lossless_jpeg.cpp
+index 9d0d01a..8802f32 100644
+--- a/source/dng_lossless_jpeg.cpp
++++ b/source/dng_lossless_jpeg.cpp
+@@ -1616,6 +1616,10 @@ inline int32 dng_lossless_decoder::get_bit ()
+ inline int32 dng_lossless_decoder::HuffDecode (HuffmanTable *htbl)
+ 	{
+
++	if (htbl == nullptr) {
++		ThrowBadFormat ();
++	}
++
+     // If the huffman code is less than 8 bits, we can use the fast
+     // table lookup to get its value.  It's more than 8 bits about
+     // 3-4% of the time.
+-- 
+2.48.1.262.g85cc9f2d1e-goog
+
diff --git a/aosp_diff/preliminary/frameworks/base/99_0304-Restrict-access-to-directories.patch b/aosp_diff/preliminary/frameworks/base/99_0304-Restrict-access-to-directories.patch
@@ -0,0 +1,77 @@
+From 7f93e424f477596dc356a020b0bd12ec5a283da5 Mon Sep 17 00:00:00 2001
+From: Dipankar Bhardwaj <dipankarb@google.com>
+Date: Wed, 21 Aug 2024 14:26:50 +0000
+Subject: [PATCH] Restrict access to directories
+
+Restricted access to Android/data, Android/obb and Android/sandbox
+directories and its sub-directories. Replacing path's pattern match
+check with file equality check.
+
+Test: atest DocumentsClientTest
+Bug: 341680936
+Flag: EXEMPT bug fix
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:22ea85377ad49594e46c57b398fb477d3d12c668)
+Merged-In: I8879900e57e1702d11797b81e86d0cc3f55bac22
+Change-Id: I8879900e57e1702d11797b81e86d0cc3f55bac22
+---
+ .../ExternalStorageProvider.java               | 18 +++---------------
+ 1 file changed, 3 insertions(+), 15 deletions(-)
+
+diff --git a/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java b/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java
+index 8f31248d9039..faef38b33429 100644
+--- a/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java
++++ b/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java
+@@ -16,8 +16,6 @@
+
+ package com.android.externalstorage;
+
+-import static java.util.regex.Pattern.CASE_INSENSITIVE;
+-
+ import android.annotation.NonNull;
+ import android.annotation.Nullable;
+ import android.app.usage.StorageStatsManager;
+@@ -69,7 +67,6 @@ import java.util.List;
+ import java.util.Locale;
+ import java.util.Objects;
+ import java.util.UUID;
+-import java.util.regex.Pattern;
+ import java.util.stream.Collectors;
+
+ /**
+@@ -97,13 +94,6 @@ public class ExternalStorageProvider extends FileSystemProvider {
+
+     private static final String STORAGE_PATH = "/storage/";
+
+-    /**
+-     * Regex for detecting {@code /Android/data/}, {@code /Android/obb/} and
+-     * {@code /Android/sandbox/} along with all their subdirectories and content.
+-     */
+-    private static final Pattern PATTERN_RESTRICTED_ANDROID_SUBTREES =
+-            Pattern.compile("^Android/(?:data|obb|sandbox)(?:/.+)?", CASE_INSENSITIVE);
+-
+     private static final String[] DEFAULT_ROOT_PROJECTION = new String[] {
+             Root.COLUMN_ROOT_ID, Root.COLUMN_FLAGS, Root.COLUMN_ICON, Root.COLUMN_TITLE,
+             Root.COLUMN_DOCUMENT_ID, Root.COLUMN_AVAILABLE_BYTES, Root.COLUMN_QUERY_ARGS
+@@ -315,16 +305,14 @@ public class ExternalStorageProvider extends FileSystemProvider {
+         if (isOnRemovableUsbStorage(documentId)) {
+             return false;
+         }
+-        final String path = getPathFromDocId(documentId);
+-        return PATTERN_RESTRICTED_ANDROID_SUBTREES.matcher(path).matches();
+-
+-        /*try {
++        
++	try {
+             final RootInfo root = getRootFromDocId(documentId);
+             final String canonicalPath = getPathFromDocId(documentId);
+             return isRestrictedPath(root.rootId, canonicalPath);
+         } catch (Exception e) {
+             return true;
+-        }*/
++        }
+     }
+
+     /**
+-- 
+2.46.0
+
diff --git a/...minary/frameworks/base/99_0305-DO-NOT-MERGE-Hide-Android-data-obb-sanbox-on-shared-.patch b/...minary/frameworks/base/99_0305-DO-NOT-MERGE-Hide-Android-data-obb-sanbox-on-shared-.patch
@@ -0,0 +1,106 @@
+From c0f01a95c6748e5c75223ea355cd08a7c5a07717 Mon Sep 17 00:00:00 2001
+From: Sergey Nikolaienkov <sergeynv@google.com>
+Date: Sat, 1 Jul 2023 16:03:56 +0200
+Subject: [PATCH] DO NOT MERGE: "Hide" /Android/data|obb|sanbox/ on shared
+ storage
+
+Implement shouldHideDocument() in the ExternalStorageProvider so that it
+resitcts access to 'Android/data/', 'Android/obb/' and 'Android/sandbox'
+on the integrated shared storage along with all their content and
+subdirectories.
+
+Clean up the abstract FileSystemProvider, specifically all variants of
+queryChildDocuments().
+
+Bug: 200034476
+Bug: 220066255
+Bug: 283962634
+Test: make & flash systemimage, run manually
+Test: atest ExternalStorageProviderTests
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9a9602a68d6d7acb8e9bd6fa37ca93f11d6dd213)
+Merged-In: I48c2ce7ff2d7fc067961ea2af0ea63818316f086
+Change-Id: I48c2ce7ff2d7fc067961ea2af0ea63818316f086
+---
+ .../ExternalStorageProvider.java              | 27 +++++++++++++++++--
+ 1 file changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java b/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java
+index fdeccfa7b9d0..8f31248d9039 100644
+--- a/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java
++++ b/packages/ExternalStorageProvider/src/com/android/externalstorage/ExternalStorageProvider.java
+@@ -16,6 +16,8 @@
+
+ package com.android.externalstorage;
+
++import static java.util.regex.Pattern.CASE_INSENSITIVE;
++
+ import android.annotation.NonNull;
+ import android.annotation.Nullable;
+ import android.app.usage.StorageStatsManager;
+@@ -67,6 +69,7 @@ import java.util.List;
+ import java.util.Locale;
+ import java.util.Objects;
+ import java.util.UUID;
++import java.util.regex.Pattern;
+ import java.util.stream.Collectors;
+
+ /**
+@@ -93,6 +96,13 @@ public class ExternalStorageProvider extends FileSystemProvider {
+     private static final String PRIMARY_EMULATED_STORAGE_PATH = "/storage/emulated/";
+
+     private static final String STORAGE_PATH = "/storage/";
++    
++    /**
++     * Regex for detecting {@code /Android/data/}, {@code /Android/obb/} and
++     * {@code /Android/sandbox/} along with all their subdirectories and content.
++     */
++    private static final Pattern PATTERN_RESTRICTED_ANDROID_SUBTREES =
++            Pattern.compile("^Android/(?:data|obb|sandbox)(?:/.+)?", CASE_INSENSITIVE);
+
+     private static final String[] DEFAULT_ROOT_PROJECTION = new String[] {
+             Root.COLUMN_ROOT_ID, Root.COLUMN_FLAGS, Root.COLUMN_ICON, Root.COLUMN_TITLE,
+@@ -305,14 +315,16 @@ public class ExternalStorageProvider extends FileSystemProvider {
+         if (isOnRemovableUsbStorage(documentId)) {
+             return false;
+         }
++        final String path = getPathFromDocId(documentId);
++        return PATTERN_RESTRICTED_ANDROID_SUBTREES.matcher(path).matches();
+
+-        try {
++        /*try {
+             final RootInfo root = getRootFromDocId(documentId);
+             final String canonicalPath = getPathFromDocId(documentId);
+             return isRestrictedPath(root.rootId, canonicalPath);
+         } catch (Exception e) {
+             return true;
+-        }
++        }*/
+     }
+
+     /**
+@@ -628,6 +640,13 @@ public class ExternalStorageProvider extends FileSystemProvider {
+         return result;
+     }
+
++    /**
++     * Print the state into the given stream.
++     * Gets invoked when you run:
++     * <pre>
++     * adb shell dumpsys activity provider com.android.externalstorage/.ExternalStorageProvider
++     * </pre>
++     */
+     @Override
+     public Path findDocumentPath(@Nullable String parentDocId, String childDocId)
+             throws FileNotFoundException {
+@@ -829,4 +848,8 @@ public class ExternalStorageProvider extends FileSystemProvider {
+     private static boolean equalIgnoringCase(@NonNull String a, @NonNull String b) {
+         return TextUtils.equals(a.toLowerCase(Locale.ROOT), b.toLowerCase(Locale.ROOT));
+     }
++
++    private static boolean equalIgnoringCase(@NonNull String a, @NonNull String b) {
++        return TextUtils.equals(a.toLowerCase(Locale.ROOT), b.toLowerCase(Locale.ROOT));
++    }
+ }
+-- 
+2.46.0
+
diff --git a/...minary/frameworks/base/99_0306-Resolve-cross-account-user-icon-validation-.bulletin.patch b/...minary/frameworks/base/99_0306-Resolve-cross-account-user-icon-validation-.bulletin.patch
@@ -0,0 +1,88 @@
+From 9654f5726275407dc30fddcaea3a08f8c8b7362e Mon Sep 17 00:00:00 2001
+From: Pranav Madapurmath <pmadapurmath@google.com>
+Date: Thu, 2 Jan 2025 14:58:50 -0800
+Subject: [PATCH] Resolve cross account user icon validation.
+
+Resolves a vulnerability found with the cross account user icon
+validation in StatusHint and TelecomServiceImpl (when registering a
+phone account). The reporter found that an uri formatted as `userId%`
+isn't parsed properly with the existing reference to Uri.encodedUserInfo.
+
+Bug: 376461551
+Bug: 376259166
+Flag: EXEMPT bugfix
+Test: atest TelecomServiceImplTest
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c28c4deeb27275c4fc68ea723202ed9faea9c265)
+Merged-In: I25614ead889501f4553ed2b42b366e09a47b0c9f
+Change-Id: I25614ead889501f4553ed2b42b366e09a47b0c9f
+---
+ .../java/android/telecom/StatusHints.java     | 34 +++++++++++++++----
+ 1 file changed, 28 insertions(+), 6 deletions(-)
+
+diff --git a/telecomm/java/android/telecom/StatusHints.java b/telecomm/java/android/telecom/StatusHints.java
+index b7346331dc60..907a4b2a7000 100644
+--- a/telecomm/java/android/telecom/StatusHints.java
++++ b/telecomm/java/android/telecom/StatusHints.java
+@@ -27,6 +27,7 @@ import android.os.Bundle;
+ import android.os.Parcel;
+ import android.os.Parcelable;
+ import android.os.UserHandle;
++import android.util.Log;
+
+ import com.android.internal.annotations.VisibleForTesting;
+
+@@ -40,6 +41,7 @@ public final class StatusHints implements Parcelable {
+     private final CharSequence mLabel;
+     private Icon mIcon;
+     private final Bundle mExtras;
++    private static final String TAG = StatusHints.class.getSimpleName();
+
+     /**
+      * @hide
+@@ -150,17 +152,37 @@ public final class StatusHints implements Parcelable {
+         // incompatible types.
+         if (icon != null && (icon.getType() == Icon.TYPE_URI
+                 || icon.getType() == Icon.TYPE_URI_ADAPTIVE_BITMAP)) {
+-            String encodedUser = icon.getUri().getEncodedUserInfo();
+-            // If there is no encoded user, the URI is calling into the calling user space
+-            if (encodedUser != null) {
+-                int userId = Integer.parseInt(encodedUser);
+-                // Do not try to save the icon if the user id isn't in the calling user space.
+-                if (userId != callingUserHandle.getIdentifier()) return null;
++            int callingUserId = callingUserHandle.getIdentifier();
++            int requestingUserId = getUserIdFromAuthority(
++                    icon.getUri().getAuthority(), callingUserId);
++            if (callingUserId != requestingUserId) {
++                return null;
+             }
++
+         }
+         return icon;
+     }
+
++    /**
++     * Derives the user id from the authority or the default user id if none could be found.
++     * @param auth
++     * @param defaultUserId
++     * @return The user id from the given authority.
++     * @hide
++     */
++    public static int getUserIdFromAuthority(String auth, int defaultUserId) {
++        if (auth == null) return defaultUserId;
++        int end = auth.lastIndexOf('@');
++        if (end == -1) return defaultUserId;
++        String userIdString = auth.substring(0, end);
++        try {
++            return Integer.parseInt(userIdString);
++        } catch (NumberFormatException e) {
++            Log.w(TAG, "Error parsing userId." + e);
++            return UserHandle.USER_NULL;
++        }
++    }
++
+     @Override
+     public void writeToParcel(Parcel out, int flags) {
+         out.writeCharSequence(mLabel);
+-- 
+2.48.1.262.g85cc9f2d1e-goog
+
diff --git a/.../base/99_0308-Check-account-type-returned-by-AbstractAccountAuthenticator-.bulletin.patch b/.../base/99_0308-Check-account-type-returned-by-AbstractAccountAuthenticator-.bulletin.patch
@@ -0,0 +1,41 @@
+From 4b99ccbe8fe9b7ad8f187a3175e0b38976f8b0c8 Mon Sep 17 00:00:00 2001
+From: Dmitry Dementyev <dementyev@google.com>
+Date: Thu, 19 Dec 2024 11:02:42 -0800
+Subject: [PATCH] Check account type returned by AbstractAccountAuthenticator.
+
+AccountManagerService already knows which account is used during
+AbstractAccountAuthenticator.getAuthToken.
+
+KEY_ACCOUNT_NAME and KEY_ACCOUNT_TYPE in the response look unnecessary,
+but we can't change API at this moment.
+
+Bug: 364269936
+Test: manual
+Flag: EXEMPT bugfix
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7b3d13643fdbad661f7a388188b1b7e74dffe03f)
+Merged-In: Ifc62866f4feaca43abc32bc542b97f3741953f56
+Change-Id: Ifc62866f4feaca43abc32bc542b97f3741953f56
+---
+ .../com/android/server/accounts/AccountManagerService.java  | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
+index 5f434ee267d4..5b83a02de8b2 100644
+--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
+@@ -3070,6 +3070,12 @@ public class AccountManagerService
+                                         "the type and name should not be empty");
+                                 return;
+                             }
++                            if (!type.equals(mAccountType)) {
++                                onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
++                                        "incorrect account type");
++                                return;
++                            }
++
+                             Account resultAccount = new Account(name, type);
+                             if (!customTokens) {
+                                 saveAuthTokenToDatabase(
+-- 
+2.48.1.262.g85cc9f2d1e-goog
+