projectceladon · AlamIntel · Sep 10, 2025
diff --git a/aosp_diff/preliminary/frameworks/base/0046-Remove-flag-fixAvatarCrossUserLeak.bulletin.patch b/aosp_diff/preliminary/frameworks/base/0046-Remove-flag-fixAvatarCrossUserLeak.bulletin.patch
@@ -0,0 +1,41 @@
+From 2b4d662a462c6b0269a6e6035ce443ec29fd860e Mon Sep 17 00:00:00 2001
+From: Anna Bauza <annabauza@google.com>
+Date: Tue, 26 Nov 2024 20:13:07 +0000
+Subject: [PATCH] Remove flag fixAvatarCrossUserLeak
+
+Remove flag since this is a security fix and missing the flag on security branch is causing build failure.
+
+Bug: 341688848
+Test: N/A
+Flag: EXEMPT bugfix
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2ab1084a748a2303289624e6063d2c60d10ec922)
+Merged-In: I7d92e0bdb750a5e0a81e9bfd03ea50686c82f6e0
+Change-Id: I7d92e0bdb750a5e0a81e9bfd03ea50686c82f6e0
+---
+ .../settingslib/users/EditUserPhotoController.java     | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/packages/SettingsLib/src/com/android/settingslib/users/EditUserPhotoController.java b/packages/SettingsLib/src/com/android/settingslib/users/EditUserPhotoController.java
+index f38e91ac0d8a..0143e5ebf116 100644
+--- a/packages/SettingsLib/src/com/android/settingslib/users/EditUserPhotoController.java
++++ b/packages/SettingsLib/src/com/android/settingslib/users/EditUserPhotoController.java
+@@ -134,12 +134,10 @@ public class EditUserPhotoController {
+         if (Flags.avatarSync()) {
+             intent.putExtra(EXTRA_IS_USER_NEW, isUserNew);
+             // Fix vulnerability b/341688848 by explicitly set the class name of avatar picker.
+-            if (Flags.fixAvatarCrossUserLeak()) {
+-                final String packageName =
+-                        mActivity.getString(R.string.config_avatar_picker_package);
+-                final String className = mActivity.getString(R.string.config_avatar_picker_class);
+-                intent.setClassName(packageName, className);
+-            }
++            final String packageName =
++                    mActivity.getString(R.string.config_avatar_picker_package);
++            final String className = mActivity.getString(R.string.config_avatar_picker_class);
++            intent.setClassName(packageName, className);
+         } else {
+             // SettingsLib is used by multiple apps therefore we need to know out of all apps
+             // using settingsLib which one is the one we return value to.
+-- 
+2.48.1.262.g85cc9f2d1e-goog
+
diff --git a/...base/0047-Verify-that-the-caller-has-permissions-for-the-icons-it-provided.bulletin.patch b/...base/0047-Verify-that-the-caller-has-permissions-for-the-icons-it-provided.bulletin.patch
@@ -0,0 +1,115 @@
+From ee65c97e3a19224548376ca2b7bd93fe366e94e8 Mon Sep 17 00:00:00 2001
+From: Andrey Yepin <ayepin@google.com>
+Date: Mon, 9 Dec 2024 21:34:17 -0800
+Subject: [PATCH] Verify that the caller has permissions for the icons it
+ provided.
+
+Bug: 277207798
+Test: manual testing: first reroduce the issue as described in the
+ ticket then check that it is not reproduceable after the fix.
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bad47a2280c7107e1213f4adc5a3825a62698d00)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c108d3866a3e6b1d7780325d862f20450a36d573)
+Merged-In: I08992550507572a4878c501184360a58adef53ad
+Change-Id: I08992550507572a4878c501184360a58adef53ad
+---
+ .../android/internal/app/ChooserActivity.java | 50 ++++++++++++++++++-
+ 1 file changed, 49 insertions(+), 1 deletion(-)
+
+diff --git a/core/java/com/android/internal/app/ChooserActivity.java b/core/java/com/android/internal/app/ChooserActivity.java
+index ab456a84d9ad..3911777912ca 100644
+--- a/core/java/com/android/internal/app/ChooserActivity.java
++++ b/core/java/com/android/internal/app/ChooserActivity.java
+@@ -21,6 +21,7 @@ import static android.app.admin.DevicePolicyResources.Strings.Core.RESOLVER_CANT
+ import static android.app.admin.DevicePolicyResources.Strings.Core.RESOLVER_CANT_SHARE_WITH_PERSONAL;
+ import static android.app.admin.DevicePolicyResources.Strings.Core.RESOLVER_CANT_SHARE_WITH_WORK;
+ import static android.app.admin.DevicePolicyResources.Strings.Core.RESOLVER_CROSS_PROFILE_BLOCKED_TITLE;
++import static android.content.ContentProvider.getUriWithoutUserId;
+ import static android.content.ContentProvider.getUserIdFromUri;
+ import static android.stats.devicepolicy.DevicePolicyEnums.RESOLVER_EMPTY_STATE_NO_SHARING_TO_PERSONAL;
+ import static android.stats.devicepolicy.DevicePolicyEnums.RESOLVER_EMPTY_STATE_NO_SHARING_TO_WORK;
+@@ -40,7 +41,9 @@ import android.annotation.Nullable;
+ import android.app.Activity;
+ import android.app.ActivityManager;
+ import android.app.ActivityOptions;
++import android.app.IUriGrantsManager;
+ import android.app.SharedElementCallback;
++import android.app.UriGrantsManager;
+ import android.app.prediction.AppPredictionContext;
+ import android.app.prediction.AppPredictionManager;
+ import android.app.prediction.AppPredictor;
+@@ -77,6 +80,7 @@ import android.graphics.Paint;
+ import android.graphics.Path;
+ import android.graphics.drawable.AnimatedVectorDrawable;
+ import android.graphics.drawable.Drawable;
++import android.graphics.drawable.Icon;
+ import android.metrics.LogMaker;
+ import android.net.Uri;
+ import android.os.AsyncTask;
+@@ -86,6 +90,7 @@ import android.os.Handler;
+ import android.os.Message;
+ import android.os.Parcelable;
+ import android.os.PatternMatcher;
++import android.os.RemoteException;
+ import android.os.ResultReceiver;
+ import android.os.UserHandle;
+ import android.os.UserManager;
+@@ -684,7 +689,11 @@ public class ChooserActivity extends ResolverActivity implements
+                     targets = null;
+                     break;
+                 }
+-                targets[i] = (ChooserTarget) pa[i];
++                ChooserTarget chooserTarget = (ChooserTarget) pa[i];
++                if (!hasValidIcon(chooserTarget)) {
++                    chooserTarget = removeIcon(chooserTarget);
++                }
++                targets[i] = chooserTarget;
+             }
+             mCallerChooserTargets = targets;
+         }
+@@ -4206,4 +4215,43 @@ public class ChooserActivity extends ResolverActivity implements
+     private boolean shouldNearbyShareBeIncludedAsActionButton() {
+         return !shouldNearbyShareBeFirstInRankedRow();
+     }
++
++    private boolean hasValidIcon(ChooserTarget target) {
++        Icon icon = target.getIcon();
++        if (icon == null) {
++            return true;
++        }
++        if (icon.getType() == Icon.TYPE_URI || icon.getType() == Icon.TYPE_URI_ADAPTIVE_BITMAP) {
++            Uri uri = icon.getUri();
++            try {
++                getUriGrantsManager().checkGrantUriPermission_ignoreNonSystem(
++                        getLaunchedFromUid(),
++                        getPackageName(),
++                        getUriWithoutUserId(uri),
++                        Intent.FLAG_GRANT_READ_URI_PERMISSION,
++                        getUserIdFromUri(uri)
++                );
++            } catch (SecurityException | RemoteException e) {
++                Log.e(TAG, "Failed to get URI permission for: " + uri, e);
++                return false;
++            }
++        }
++        return true;
++    }
++
++    private IUriGrantsManager getUriGrantsManager() {
++        return UriGrantsManager.getService();
++    }
++
++    private static ChooserTarget removeIcon(ChooserTarget target) {
++        if (target == null) {
++            return null;
++        }
++        return new ChooserTarget(
++                target.getTitle(),
++                null,
++                target.getScore(),
++                target.getComponentName(),
++                target.getIntentExtras());
++    }
+ }
+-- 
+2.48.1.262.g85cc9f2d1e-goog
+
diff --git a/...eliminary/frameworks/base/0048-Fix-Block-opening-settings-app-on-keyguard-without-u.patch b/...eliminary/frameworks/base/0048-Fix-Block-opening-settings-app-on-keyguard-without-u.patch
@@ -0,0 +1,32 @@
+From 98a78553442199cc8601d6446081619be1471ac4 Mon Sep 17 00:00:00 2001
+From: Vaibhav Devmurari <vdevmurari@google.com>
+Date: Mon, 9 Dec 2024 13:15:03 +0000
+Subject: [PATCH] Fix: Block opening settings app on keyguard without user auth
+
+Test: atest KeyGestureEventTests
+Bug: 378900798
+Flag: EXEMPT bugfix
+(cherry picked from commit d615298466085c4a88c6733804160e0c1ee7e31e)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e4d483a2ef99a71c6fcd6ad2e6c2f8f88ba380f4)
+Merged-In: I89d43872108710d20e0c4ef7e652d389896155d7
+Change-Id: I89d43872108710d20e0c4ef7e652d389896155d7
+---
+ .../core/java/com/android/server/policy/PhoneWindowManager.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/services/core/java/com/android/server/policy/PhoneWindowManager.java b/services/core/java/com/android/server/policy/PhoneWindowManager.java
+index f1a481155458..23b448b064c4 100644
+--- a/services/core/java/com/android/server/policy/PhoneWindowManager.java
++++ b/services/core/java/com/android/server/policy/PhoneWindowManager.java
+@@ -3576,7 +3576,7 @@ public class PhoneWindowManager implements WindowManagerPolicy {
+                 }
+                 break;
+             case KeyEvent.KEYCODE_I:
+-                if (firstDown && event.isMetaPressed()) {
++                if (firstDown && event.isMetaPressed() && isUserSetupComplete() && !keyguardOn) {
+                     showSystemSettings();
+                     notifyKeyGestureCompleted(event,
+                             KeyGestureEvent.KEY_GESTURE_TYPE_LAUNCH_SYSTEM_SETTINGS);
+-- 
+2.34.1
+
diff --git a/..._diff/preliminary/frameworks/base/0049-BaseBundle-fix-unparcel-error-logic.bulletin.patch b/..._diff/preliminary/frameworks/base/0049-BaseBundle-fix-unparcel-error-logic.bulletin.patch
@@ -0,0 +1,99 @@
+From 567af706fd9db016b0b7a7c4ffc5e2b2fd3bbb5f Mon Sep 17 00:00:00 2001
+From: Steven Moreland <smoreland@google.com>
+Date: Tue, 10 Dec 2024 21:54:36 +0000
+Subject: [PATCH] BaseBundle: fix unparcel error logic
+
+This code considered a success case to be an unsuccessful
+case.
+
+Bug: 373357090
+Test: repro in bug no longer works
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:86cfb77a4664110c44ea147e8457a65e69e6d5d9)
+Merged-In: Id423936872cbb0e0265ccf2855092357cb175d47
+Change-Id: Id423936872cbb0e0265ccf2855092357cb175d47
+---
+ core/java/android/os/BaseBundle.java | 10 +++++-----
+ core/java/android/os/Parcel.java     | 12 +++++-------
+ 2 files changed, 10 insertions(+), 12 deletions(-)
+
+diff --git a/core/java/android/os/BaseBundle.java b/core/java/android/os/BaseBundle.java
+index 49ab15a40a8e..36a1c1b08289 100644
+--- a/core/java/android/os/BaseBundle.java
++++ b/core/java/android/os/BaseBundle.java
+@@ -471,10 +471,10 @@ public class BaseBundle {
+             map.erase();
+             map.ensureCapacity(count);
+         }
+-        int numLazyValues = 0;
++        int[] numLazyValues = new int[]{0};
+         try {
+-            numLazyValues = parcelledData.readArrayMap(map, count, !parcelledByNative,
+-                    /* lazy */ ownsParcel, mClassLoader);
++            parcelledData.readArrayMap(map, count, !parcelledByNative,
++                    /* lazy */ ownsParcel, mClassLoader, numLazyValues);
+         } catch (BadParcelableException e) {
+             if (sShouldDefuse) {
+                 Log.w(TAG, "Failed to parse Bundle, but defusing quietly", e);
+@@ -485,14 +485,14 @@ public class BaseBundle {
+         } finally {
+             mWeakParcelledData = null;
+             if (ownsParcel) {
+-                if (numLazyValues == 0) {
++                if (numLazyValues[0] == 0) {
+                     recycleParcel(parcelledData);
+                 } else {
+                     mWeakParcelledData = new WeakReference<>(parcelledData);
+                 }
+             }
+
+-            mLazyValues = numLazyValues;
++            mLazyValues = numLazyValues[0];
+             mParcelledByNative = false;
+             mMap = map;
+             // Set field last as it is volatile
+diff --git a/core/java/android/os/Parcel.java b/core/java/android/os/Parcel.java
+index 136c45d1695f..b6eac10413aa 100644
+--- a/core/java/android/os/Parcel.java
++++ b/core/java/android/os/Parcel.java
+@@ -5519,7 +5519,7 @@ public final class Parcel {
+
+     private void readArrayMapInternal(@NonNull ArrayMap<? super String, Object> outVal,
+             int size, @Nullable ClassLoader loader) {
+-        readArrayMap(outVal, size, /* sorted */ true, /* lazy */ false, loader);
++        readArrayMap(outVal, size, /* sorted */ true, /* lazy */ false, loader, null);
+     }
+
+     /**
+@@ -5529,17 +5529,16 @@ public final class Parcel {
+      * @param lazy   Whether to populate the map with lazy {@link Function} objects for
+      *               length-prefixed values. See {@link Parcel#readLazyValue(ClassLoader)} for more
+      *               details.
+-     * @return a count of the lazy values in the map
++     * @param lazyValueCount number of lazy values added here
+      * @hide
+      */
+-    int readArrayMap(ArrayMap<? super String, Object> map, int size, boolean sorted,
+-            boolean lazy, @Nullable ClassLoader loader) {
+-        int lazyValues = 0;
++    void readArrayMap(ArrayMap<? super String, Object> map, int size, boolean sorted,
++            boolean lazy, @Nullable ClassLoader loader, int[] lazyValueCount) {
+         while (size > 0) {
+             String key = readString();
+             Object value = (lazy) ? readLazyValue(loader) : readValue(loader);
+             if (value instanceof LazyValue) {
+-                lazyValues++;
++                lazyValueCount[0]++;
+             }
+             if (sorted) {
+                 map.append(key, value);
+@@ -5551,7 +5550,6 @@ public final class Parcel {
+         if (sorted) {
+             map.validate();
+         }
+-        return lazyValues;
+     }
+
+     /**
+-- 
+2.48.1.262.g85cc9f2d1e-goog
+
diff --git a/...ry/frameworks/base/0050-Check-underlying-intent-as-well-as-intent-selector.bulletin.patch b/...ry/frameworks/base/0050-Check-underlying-intent-as-well-as-intent-selector.bulletin.patch
@@ -0,0 +1,72 @@
+From 8612a293fb4ae27225454db9463f38a925cd4d46 Mon Sep 17 00:00:00 2001
+From: oli <olit@google.com>
+Date: Tue, 28 Jan 2025 16:28:31 +0000
+Subject: [PATCH] Check underlying intent as well as intent selector
+
+When checking if an intent can be forwarded across profiles, the
+selector action is checked rather than the intent itself.
+This means badIntents can be spoofed with a different selector and
+launched across profiles.
+
+Bug: 376674080
+Test: manually tested
+Flag: EXEMPT bugfix
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fc28861349e0113f807016501da3e1fd963b59fa)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dc7e4fffc58d535c6eaba6c382c8c89e35136389)
+Merged-In: If04e1020fc5a09f04630ba08d7e3b3012f2aa577
+Change-Id: If04e1020fc5a09f04630ba08d7e3b3012f2aa577
+---
+ .../internal/app/IntentForwarderActivity.java | 27 +++++++++++++------
+ 1 file changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/core/java/com/android/internal/app/IntentForwarderActivity.java b/core/java/com/android/internal/app/IntentForwarderActivity.java
+index d72207d9b9ef..a1bb325534dd 100644
+--- a/core/java/com/android/internal/app/IntentForwarderActivity.java
++++ b/core/java/com/android/internal/app/IntentForwarderActivity.java
+@@ -586,24 +586,35 @@ public class IntentForwarderActivity extends Activity  {
+                 Intent.FLAG_ACTIVITY_FORWARD_RESULT | Intent.FLAG_ACTIVITY_PREVIOUS_IS_TOP);
+         sanitizeIntent(forwardIntent);
+
+-        Intent intentToCheck = forwardIntent;
+-        if (Intent.ACTION_CHOOSER.equals(forwardIntent.getAction())) {
++        if (!canForwardInner(forwardIntent, sourceUserId, targetUserId, packageManager,
++                contentResolver)) {
+             return null;
+         }
+         if (forwardIntent.getSelector() != null) {
+-            intentToCheck = forwardIntent.getSelector();
++            sanitizeIntent(forwardIntent.getSelector());
++            if (!canForwardInner(forwardIntent.getSelector(), sourceUserId, targetUserId,
++                    packageManager, contentResolver)) {
++                return null;
++            }
++        }
++        return forwardIntent;
++    }
++
++    private static boolean canForwardInner(Intent intent, int sourceUserId, int targetUserId,
++            IPackageManager packageManager, ContentResolver contentResolver) {
++        if (Intent.ACTION_CHOOSER.equals(intent.getAction())) {
++            return false;
+         }
+-        String resolvedType = intentToCheck.resolveTypeIfNeeded(contentResolver);
+-        sanitizeIntent(intentToCheck);
++        String resolvedType = intent.resolveTypeIfNeeded(contentResolver);
+         try {
+             if (packageManager.canForwardTo(
+-                    intentToCheck, resolvedType, sourceUserId, targetUserId)) {
+-                return forwardIntent;
++                    intent, resolvedType, sourceUserId, targetUserId)) {
++                return true;
+             }
+         } catch (RemoteException e) {
+             Slog.e(TAG, "PackageManagerService is dead?");
+         }
+-        return null;
++        return false;
+     }
+
+     /**
+-- 
+2.48.1.262.g85cc9f2d1e-goog
+