Skip to content

Security Patches :D#1

Open
Megh-Rana wants to merge 14 commits into
Corvus-AOSP:11from
CorvusOS-Revived:11
Open

Security Patches :D#1
Megh-Rana wants to merge 14 commits into
Corvus-AOSP:11from
CorvusOS-Revived:11

Conversation

@Megh-Rana
Copy link
Copy Markdown

@Megh-Rana Megh-Rana commented May 28, 2023

No description provided.

AquilesCanta and others added 14 commits May 17, 2023 14:30
@AquilesCanta @Megh-Rana
Fix heap-buffer-overflow in MPEG4Extractor am: d13a4ef
5060edc 
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/av/+/15747591

Bug: 201632451
Bug: 188893559
Change-Id: Ie775311a46cb1ddddd30e8cfa882d549b9ddfd05
Merged-In: I31f2b9a4f1b561c4466c76ea2af8dd532622102a
(cherry picked from commit 3c5de13)
@ManishaJajoo @Megh-Rana
C2SoftMp3Dec: fix OOB write in output buffer
4b8694e 
outputFrameSize, calOutSize and outSize are calculated at 8bit level
However, the library expects outputFrameSize in int16 samples.
One of the initialization of outputFrameSize was in bytes.
This is now corrected.

Test: clusterfuzz generated poc in bug
Test: atest android.mediav2.cts.CodecDecoderTest
Test: atest VtsHalMediaC2V1_0TargetAudioDecTest

Bug: 193363621

Change-Id: Iac62c4e9d77e7f95f2c692f5ea236e7a5c536dcb
(cherry picked from commit dc32721)
@Megh-Rana
SimpleDecodingSource:Prevent OOB write in heap mem
b8e36e7 
doRead() doesn't handle situations when received byte do not fit into
input buffer in case of vorbis audio compression. It results in OOB
write in heap memory right after the allocated input buffer. Added
code to copy kKeyValidSamples only if there was enough space.
Otherwise, print a warning log.

Bug: 194105348

Test: post-submit media cts tests
Change-Id: I2b27580deff9ad937b68703a1e7c3ff2a6dccc60
(cherry picked from commit a625b40)
(cherry picked from commit f3590a1)
Merged-In:I2b27580deff9ad937b68703a1e7c3ff2a6dccc60
@rbessick4 @Megh-Rana
Better buffer-overrun prevention
069384d 
fixes end-of-buffer detection. Adds buffer-was-empty detection.

Bug: 204445255
Test: ran poc from bug
Change-Id: I42117ce1455d1cac2bd43f16d67d77ec436b0fe2
(cherry picked from commit b51ed96)
(cherry picked from commit 190e909)
Merged-In:I42117ce1455d1cac2bd43f16d67d77ec436b0fe2
@rbessick4 @Megh-Rana
Safetynet logging for b/204445255
d26a91a 
Bug: 204445255
Test: poc from original bug
Change-Id: I569477d0771e1c03318df9ef271cf3201d472c99
(cherry picked from commit 94e58d6)
Merged-In:I569477d0771e1c03318df9ef271cf3201d472c99
@Megh-Rana
C2AllocatorIon:protect mMappings using mutex
ad67d78 
Use mutex to prevent multiple threads accessing same member of
mMappings list at the same time.

Bug: 193790350

Test: adb shell UBSAN_OPTIONS=print_stacktrace=1 /data/local/tmp/C2FuzzerMp3Dec -rss_limit_mb=2560 -timeout=90 -runs=100 /data/local/tmp/clusterfuzz-testcase-minimized-C2FuzzerMp3Dec-5713156165206016
Change-Id: I24e53629d5a6dfad22b84dd2278eb1a288c9ab35
Merged-In: I24e53629d5a6dfad22b84dd2278eb1a288c9ab35
(cherry picked from commit 9d2295f)
(cherry picked from commit 416da6e)
Merged-In:I24e53629d5a6dfad22b84dd2278eb1a288c9ab35
@rbessick4 @Megh-Rana
Safe parsing of HEIF framecount information
6b77996 
Bug: 215002587
Test: POC described in bug
Change-Id: I92f8fdfe860cb360fb0ae099db3c92776ba7390f
(cherry picked from commit e89e632)
(cherry picked from commit 616bd34)
Merged-In:I92f8fdfe860cb360fb0ae099db3c92776ba7390f
@AquilesCanta @Megh-Rana
Avoid read out of bounds
600adbf 
Bug: 230493653
Change-Id: Ieca5a5390d3cf73fff6aa552d065363d84e1ccc2
Merged-In: Ieca5a5390d3cf73fff6aa552d065363d84e1ccc2
Test: See bug for PoC.
(cherry picked from commit 306aad773337f228bffcf5bf07a3e6663226f42c)
(cherry picked from commit 9d33304)
Merged-In: Ieca5a5390d3cf73fff6aa552d065363d84e1ccc2
@ivanbuper @Megh-Rana
Fix Out of Bounds read in TextDescriptions.cpp
2e0c25b 
Fixing vulnerability in extract3GGPGlobalDescriptions() in
TextDescriptions.cpp

Bug: 233735886
Test: Run related PoC. See bug.
Change-Id: I87955b911d0a40390755321d332a11ecc9b20354
(cherry picked from commit b63d4e7)
Merged-In: I87955b911d0a40390755321d332a11ecc9b20354
@flamme @Megh-Rana
Cache MMAP client silenced state.
901dabe 
When starting MMAP input stream, APM will check if the client is allowed
to capture at that moment or not and call setRecordSilenced if the
client is not allowed. However, the client is not active when starting
the MMAP input stream. In that case, the client silenced state will be
lost and the client will be able to capture even though it is not
allowed. In this CL, when setRecordSilenced is called, it will cache
the client silenced state so that it can apply when the client is
active.

Test: atest AAudioTests
Test: repo steps from the bug
Bug: 235850634
Change-Id: I49b5a0f08d1747053f868db6e88c0f677256fc3c
Merged-In: I49b5a0f08d1747053f868db6e88c0f677256fc3c
(cherry picked from commit 0960903b2fee5d1d449ffcd598e0b5d3a945d99a)
(cherry picked from commit a2f00f9)
Merged-In: I49b5a0f08d1747053f868db6e88c0f677256fc3c
@Megh-Rana
RESTRICT AUTOMERGE - [Fix vulnerability] setSecurityLevel in clearkey
40f752b 
Potential race condition in clearkey setSecurityLevel.

POC test in http://go/ag/19083795

Test: sts-tradefed run sts-dynamic-develop -m StsHostTestCases -t android.security.sts.CVE_2022_2209#testPocCVE_2022_2209

Bug: 235601882
Change-Id: I6447fb539ef0cb395772c61e6f3e1504ccde331b
Merged-In: I2e2084e85fe45d7d7f958c59b0063a477c7d24bf
(cherry picked from commit d37b69272aa68a92357baa95d0eb87012666a90b)
Merged-In: I6447fb539ef0cb395772c61e6f3e1504ccde331b
@rbessick4 @Megh-Rana
move MediaCodec metrics processing to looper thread
a50d8ae 
consolidate to avoid concurrency/mutex problems.

Bug: 256087846
Bug: 245860753
Test: atest CtsMediaV2TestCases
Test: atest CtsMediaCodecTestCases
Merged-In: Ie77f0028cab8091edd97d3a60ad4c80da3092cfe
Merged-In: I56eceb6b12ce14348d3f9f2944968e70c6086aa8
Merged-In: I94b0a2ac029dc0b90a93e9ed844768e9da5259b9
Change-Id: I739248436a4801a4b9a96395f481640f2956cedf
(cherry picked from commit 49e842e70836bbd58970beefac9c7b6bfe6a124b)
Merged-In: I739248436a4801a4b9a96395f481640f2956cedf
@rbessick4 @Megh-Rana
Fix NuMediaExtractor::readSampleData buffer Handling
9b5fa96 
readSampleData() did not initialize buffer before filling it,
leading to OOB memory references. Correct and clarify the book
keeping around output buffer management.

Bug: 275418191
Test: CtsMediaExtractorTestCases w/debug messages
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:943fc12219b21d2a98f0ddc070b9b316a6f5d412)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:84c69bca81175feb2fd97ebb22e432ee41572786)
Merged-In: Ie744f118526f100d82a312c64f7c6fcf20773b6d
Change-Id: Ie744f118526f100d82a312c64f7c6fcf20773b6d
@Megh-Rana
Fix Segv on unknown address error flagged by fuzzer test.
137b6be 
The error is thrown when the destructor tries to free pointer memory.
This is happening for cases where the pointer was not initialized. Initializing it to a default value fixes the error.

Bug: 245135112
Test: Build mtp_host_property_fuzzer and run on the target device
(cherry picked from commit 3afa6e80e8568fe63f893fa354bc79ef91d3dcc0)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d44311374e41a26b28db56794c9a7890a13a6972)
Merged-In: I255cd68b7641e96ac47ab81479b9b46b78c15580
Change-Id: I255cd68b7641e96ac47ab81479b9b46b78c15580
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@Megh-Rana @AquilesCanta @ManishaJajoo @rbessick4 @ivanbuper @flamme