ASB FEB 2025 Security Patches integration

Integrating Google Android Security Bulletin Patches.

Test done: STS r35 TCs Passed

Tracked-On: OAM-129794
Signed-off-by: Alam, Sahibex <[email protected]>

aosp_diff/preliminary/build/make/0004-Update-security_patch_level-string.patch

@@ -20,7 +20,7 @@ index 419ff1aadc..fbbe777754 100644
      #  It must match one of the Android Security Patch Level strings of the Public Security Bulletins.
      #  If there is no $PLATFORM_SECURITY_PATCH set, keep it empty.
 -    PLATFORM_SECURITY_PATCH := 2023-05-05
-+    PLATFORM_SECURITY_PATCH := 2025-01-01
++    PLATFORM_SECURITY_PATCH := 2025-02-01
  endif
 
  include $(BUILD_SYSTEM)/version_util.mk

aosp_diff/preliminary/frameworks/base/99_0233-Enforce-hard-limits-on-hosts-per-package-and-widgets-per-host-.bulletin.patch

@@ -0,0 +1,106 @@
+From 4543fc6a902e057864ffabb7b2f5a63760c58747 Mon Sep 17 00:00:00 2001
+From: Pinyao Ting <[email protected]>
+Date: Tue, 20 Aug 2024 21:17:13 +0000
+Subject: [PATCH] Enforce hard limits on hosts per package and widgets per
+ host.
+
+Bug: 353240784
+Test: manually verified with PoC app that at most 20 hosts can exists
+Flag: EXEMPT CVE
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c30c8a6956e275821ca328dcf404c5d63286326b)
+Merged-In: I60ee7faf57ed719f93cafad212fef24964dec99f
+Change-Id: I60ee7faf57ed719f93cafad212fef24964dec99f
+---
+ .../appwidget/AppWidgetServiceImpl.java       | 50 ++++++++++++++++++-
+ 1 file changed, 49 insertions(+), 1 deletion(-)
+
+diff --git a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
+index 4a7f378b2f43..8b9bb592067c 100644
+--- a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
++++ b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
+@@ -177,6 +177,15 @@ class AppWidgetServiceImpl extends IAppWidgetService.Stub implements WidgetBacku
+     // used to verify which request has successfully been received by the host.
+     private static final AtomicLong UPDATE_COUNTER = new AtomicLong();
+
++    // Hard limit of number of hosts an app can create, note that the app that hosts the widgets
++    // can have multiple instances of {@link AppWidgetHost}, typically in respect to different
++    // surfaces in the host app.
++    // @see AppWidgetHost
++    // @see AppWidgetHost#mHostId
++    private static final int MAX_NUMBER_OF_HOSTS_PER_PACKAGE = 20;
++    // Hard limit of number of widgets can be pinned by a host.
++    private static final int MAX_NUMBER_OF_WIDGETS_PER_HOST = 200;
++
+     private final BroadcastReceiver mBroadcastReceiver = new BroadcastReceiver() {
+         @Override
+         public void onReceive(Context context, Intent intent) {
+@@ -1720,7 +1729,7 @@ class AppWidgetServiceImpl extends IAppWidgetService.Stub implements WidgetBacku
+         if (host != null) {
+             return host;
+         }
+-
++        ensureHostCountBeforeAddLocked(id);
+         host = new Host();
+         host.id = id;
+         mHosts.add(host);
+@@ -1728,6 +1737,24 @@ class AppWidgetServiceImpl extends IAppWidgetService.Stub implements WidgetBacku
+         return host;
+     }
+
++    /**
++     * Ensures that the number of hosts for a package is less than the maximum number of hosts per
++     * package. If the number of hosts is greater than the maximum number of hosts per package, then
++     * removes the oldest host.
++     */
++    private void ensureHostCountBeforeAddLocked(HostId hostId) {
++        final List<Host> hosts = new ArrayList<>();
++        for (Host host : mHosts) {
++            if (host.id.uid == hostId.uid
++                    && host.id.packageName.equals(hostId.packageName)) {
++                hosts.add(host);
++            }
++        }
++        while (hosts.size() >= MAX_NUMBER_OF_HOSTS_PER_PACKAGE) {
++            deleteHostLocked(hosts.remove(0));
++        }
++    }
++
+     private void deleteHostLocked(Host host) {
+         final int N = host.widgets.size();
+         for (int i = N - 1; i >= 0; i--) {
+@@ -2916,11 +2943,32 @@ class AppWidgetServiceImpl extends IAppWidgetService.Stub implements WidgetBacku
+      * Adds the widget to mWidgets and tracks the package name in mWidgetPackages.
+      */
+     void addWidgetLocked(Widget widget) {
++        ensureWidgetCountBeforeAddLocked(widget);
+         mWidgets.add(widget);
+
+         onWidgetProviderAddedOrChangedLocked(widget);
+     }
+
++    /**
++     * Ensures that the widget count for the widget's host is not greater than the maximum
++     * number of widgets per host. If the count is greater than the maximum, removes oldest widgets
++     * from the host until the count is less than or equal to the maximum.
++     */
++    private void ensureWidgetCountBeforeAddLocked(Widget widget) {
++        if (widget.host == null || widget.host.id == null) {
++            return;
++        }
++        final List<Widget> widgetsInSameHost = new ArrayList<>();
++        for (Widget w : mWidgets) {
++            if (w.host != null && widget.host.id.equals(w.host.id)) {
++                widgetsInSameHost.add(w);
++            }
++        }
++        while (widgetsInSameHost.size() >= MAX_NUMBER_OF_WIDGETS_PER_HOST) {
++            removeWidgetLocked(widgetsInSameHost.remove(0));
++        }
++    }
++
+     /**
+      * Checks if the provider is assigned and updates the mWidgetPackages to track packages
+      * that have bound widgets.
+-- 
+2.47.1.613.gc27f4b7a9f-goog
+

aosp_diff/preliminary/frameworks/base/99_0234-InputMethodSubtypeArray-prevent-negative-count-injection.bulletin.patch

@@ -0,0 +1,110 @@
+From 7714ccb85ed961083dcc97e230c71242c3422b5e Mon Sep 17 00:00:00 2001
+From: Adrian Roos <[email protected]>
+Date: Fri, 2 Jun 2023 13:57:57 +0000
+Subject: [PATCH] InputMethodSubtypeArray: prevent negative count injection
+
+Fixes an issue where negative counts could be injected
+via the Parcel constructor. The writeToParcel method
+in that case would write data that a subsequent read would
+not consume.
+
+Fixes: 277916797
+Fixes: 354682735
+Test: atest InputMethodSubtypeArrayTest
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b9a097e28be9b87566ce0194b7525caf462daf2f)
+Merged-In: I7e881d82415051179c59bf5df97f8ba0a41e693e
+Change-Id: I7e881d82415051179c59bf5df97f8ba0a41e693e
+---
+ .../inputmethod/InputMethodSubtypeArray.java  |  4 +++
+ .../InputMethodSubtypeArrayTest.java          | 36 +++++++++++++++++++
+ 2 files changed, 40 insertions(+)
+
+diff --git a/core/java/android/view/inputmethod/InputMethodSubtypeArray.java b/core/java/android/view/inputmethod/InputMethodSubtypeArray.java
+index 50e95c80cfed..ee36dc72e346 100644
+--- a/core/java/android/view/inputmethod/InputMethodSubtypeArray.java
++++ b/core/java/android/view/inputmethod/InputMethodSubtypeArray.java
+@@ -17,6 +17,7 @@
+ package android.view.inputmethod;
+
+ import android.compat.annotation.UnsupportedAppUsage;
++import android.os.BadParcelableException;
+ import android.os.Parcel;
+ import android.util.Slog;
+
+@@ -69,6 +70,9 @@ public class InputMethodSubtypeArray {
+      */
+     public InputMethodSubtypeArray(final Parcel source) {
+         mCount = source.readInt();
++        if (mCount < 0) {
++            throw new BadParcelableException("mCount must be non-negative.");
++        }
+         if (mCount > 0) {
+             mDecompressedSize = source.readInt();
+             mCompressedData = source.createByteArray();
+diff --git a/core/tests/coretests/src/android/view/inputmethod/InputMethodSubtypeArrayTest.java b/core/tests/coretests/src/android/view/inputmethod/InputMethodSubtypeArrayTest.java
+index e2fb46af5b64..5af8558ccde9 100644
+--- a/core/tests/coretests/src/android/view/inputmethod/InputMethodSubtypeArrayTest.java
++++ b/core/tests/coretests/src/android/view/inputmethod/InputMethodSubtypeArrayTest.java
+@@ -16,9 +16,14 @@
+
+ package android.view.inputmethod;
+
++import static com.google.common.truth.Truth.assertThat;
++import static com.google.common.truth.Truth.assertWithMessage;
++
+ import static org.junit.Assert.assertEquals;
+
++import android.os.BadParcelableException;
+ import android.os.Parcel;
++import android.platform.test.annotations.Presubmit;
+ import android.view.inputmethod.InputMethodSubtype.InputMethodSubtypeBuilder;
+
+ import androidx.test.filters.SmallTest;
+@@ -31,6 +36,7 @@ import java.util.ArrayList;
+
+ @SmallTest
+ @RunWith(AndroidJUnit4.class)
++@Presubmit
+ public class InputMethodSubtypeArrayTest {
+
+     @Test
+@@ -59,6 +65,36 @@ public class InputMethodSubtypeArrayTest {
+         assertEquals(clonedArray.get(2), clonedClonedArray.get(2));
+     }
+
++    @Test
++    public void testNegativeCount() throws Exception {
++        InputMethodSubtypeArray negativeCountArray;
++        try {
++            // Construct a InputMethodSubtypeArray with: mCount = -1
++            Parcel p = Parcel.obtain();
++            p.writeInt(-1);
++            p.setDataPosition(0);
++            negativeCountArray = new InputMethodSubtypeArray(p);
++        } catch (BadParcelableException e) {
++            // Expected with fix: Prevent negative mCount
++            assertThat(e).hasMessageThat().contains("mCount");
++            return;
++        }
++        assertWithMessage("Test set-up failed")
++                .that(negativeCountArray.getCount()).isEqualTo(-1);
++
++        Parcel p = Parcel.obtain();
++        // Writes: int (mCount), int (mDecompressedSize), byte[] (mCompressedData)
++        negativeCountArray.writeToParcel(p);
++        p.setDataPosition(0);
++        // Reads: int (mCount)
++        // Leaves: int (mDecompressedSize), byte[] (mCompressedData)
++        new InputMethodSubtypeArray(p);
++
++        assertWithMessage("Didn't read all data that was previously written")
++                .that(p.dataPosition())
++                .isEqualTo(p.dataSize());
++    }
++
+     InputMethodSubtypeArray cloneViaParcel(final InputMethodSubtypeArray original) {
+         Parcel parcel = null;
+         try {
+-- 
+2.47.1.613.gc27f4b7a9f-goog
+