@Elephone1 Stagefright Detector has detected several CVE incorrect with the latest directives in security bulletin
@Elephone1 I second this. There are official Android upstream fixes so please fix the ROM!
BlueFlame4 said:
@Elephone1 I second this. There are official Android upstream fixes so please fix the ROM!
Click to expand...
Click to collapse
sorry, what do you mean about this, can you give me more details?
Elephone1 said:
sorry, what do you mean about this, can you give me more details?
Click to expand...
Click to collapse
I'm talking about the stagefright exploit that is basically a buffer overflow in the stagefright framework that can lead to privilege escalation and that can be used remotely (read: It's the most serious security vulnerability in Android so far). It should be your absolute priority to fix this to protect your customers. Can you comment on that please?
More: http://m.androidcentral.com/stagefright
Related
Since the Xperia M aka nicki is no longer maintained I decided to start my own build and I thought I share it with the community.
Full Disclosure: I am not a developer. If there are bugs in any build, I cannot solve them. So always do a backup before flashing.
Also if you do not know how to flash: leave it be. I will not help with flashing problems.
I will try to keep it up-to-date.
You can download it here: https://drive.google.com/file/d/0B7J1cVOauuana0l0NG1GWmE1aWc/view?usp=sharing
Android: 7.1.2
Security Patches: May 2017
Komapatient said:
Since the Xperia M aka nicki is no longer maintained I decided to start my own build and I thought I share it with the community.
Full Disclosure: I am not a developer. If there are bugs in any build, I cannot solve them. So do always a backup before flashing.
Also if you do not know how to flash: leave it be. I will not help with flashing problems.
I will try to keep it up-to-date.
You can download it here: https://drive.google.com/file/d/0B7J1cVOauuana0l0NG1GWmE1aWc/view?usp=sharing
Click to expand...
Click to collapse
Thank you bro for sharing and keeping the device alive ?
Btw you should consider posting this in android development forum so that people know abt it
Adarsh Dubey said:
Btw you should consider posting this in android development forum so that people know abt it
Click to expand...
Click to collapse
I intentionally posted not in the development section, since I am not developing but only building.
Komapatient said:
I intentionally posted not in the development section, since I am not developing but only building.
Click to expand...
Click to collapse
Bro you shouldn't post it in original development but you can post it in Android development as you are building the rom for the device and many of the people port roms they also don't develop nor fix bugs but post it in Android development as they are building the rom for the device
sir @Komapatient , can you please share the source kernel or ROM?
Nicklas Van Dam said:
sir @Komapatient , can you please share the source kernel or ROM?
Click to expand...
Click to collapse
Hi,
I don't understand your request. I pulled the sources from LinOS Git. There is nothing done on the source.
Komapatient said:
Hi,
I don't understand your request. I pulled the sources from LinOS Git. There is nothing done on the source.
Click to expand...
Click to collapse
Ok, it's neccesary for now. Can you please to keep update on this ROM?
Komapatient said:
Since the Xperia M aka nicki is no longer maintained I decided to start my own build and I thought I share it with the community.
Full Disclosure: I am not a developer. If there are bugs in any build, I cannot solve them. So always do a backup before flashing.
Also if you do not know how to flash: leave it be. I will not help with flashing problems.
I will try to keep it up-to-date.
You can download it here: https://drive.google.com/file/d/0B7J1cVOauuana0l0NG1GWmE1aWc/view?usp=sharing
Android: 7.1.2
Security Patches: May 2017
Click to expand...
Click to collapse
So basically you're keeping the ROM updated with latest changes from lineage OS source code , I mean bug fixes and security patches etc.
matrixex said:
So basically you're keeping the ROM updated with latest changes from lineage OS source code , I mean bug fixes and security patches etc.
Click to expand...
Click to collapse
Yes. As a courtesy to the people who cannot compile their own ROM and to give s.th. back to the community who helped me a lot of times.
Hi @Komapatient,
Glad to see you once again around here, think we last talked when you were using the Xperia V on LineageOS.
Happy to see nicki is not fully dead and that its users can benefit from newer builds.
However there's a big concern here, I pushed the Nicki official removal for two important reasons :
- Device sources are no longer updated. If there's no real issue it's fine, but might appear.
> Issues like autobrightness flashing in a weird way upon device wake/unlock is among the biggest issue fixed / wip since the changes stopped.
> Checked in my huashan sources to find common relevant things for nicki, I just pushed an overlay cleanup and fix for MMS non-Data use.
- Kernel sources are highly outdated. To put this in a easy way, we can judge the security status
> to be around December 2016 and February 2017. Therefore the security version you share here is only the ROM sources,
> though a good portion of the security patches are actually to be worked upon for each kernel.
You can find our internal CVEs vulnerabilities tracker concerning the nicki 8x27 kernel here : https://cve.lineageos.org/android_kernel_sony_msm8x27
Someone should at some point stand up and start looking at them one by one,
fixing the ones related to the kernel version by cherry-picking, testing then pushing to gerrit.
You can take my sony_msm8960t kernel as reference if you wish, only the most recent CVEs are a work in progress,
and you should therefore easily see which CVEs concern your 3.4 kernel and find the commits in my history.
I'd gladly merge commits uploaded to gerrit if they are valid and properly authored / clean.
Hope this makes the current status of Nicki a bit more clear.
Bye.
@AdrianDC
Thank you for your clarification. The kernel sources are indeed a bummer, but as my coding skills are below zero. Sadly I am not able to help here out.
Komapatient said:
@AdrianDC
Thank you for your clarification. The kernel sources are indeed a bummer, but as my coding skills are below zero. Sadly I am not able to help here out.
Click to expand...
Click to collapse
Trying to "steal" my commits from sony_msm8960t would be a good start,
you can also check the commits tags on Gerrit to see the CVE 20xx-xxxx related numbers
when the information was set as topic, helps clearing the list too.
Since the work is already done on our side, it shouldn't be a giant work to do,
and would be a good place to start with + bring back some security updates to the device.
Please try to update this rom
please try update this rom, ,
Hi XDA!
I have some questions about the current security level of Lineage OS and CVE info!
For example: Xiaomi / msm8956 has a 69% security and it's still vulnerable to the vulnerability of Broadcom Wifi-Driver and many more. (According lineage OS CVE tracker)
Is that the real status of security patches? Or are some of these vulnerabilities already patched?
who is responsible of patching this? Device maintainer? Manufacturer (Xiaomi)? Google with your security patches?
I just want to know how this works and who's in charge, I'm not judging anyone's work.
I just want to how this works and who's in charge, I'm not judging anyone's work.
Thanks for your help and time!
MrEncrypted said:
Hi XDA!
I have some questions about the current security level of Lineage OS and CVE info!
For example: Xiaomi / msm8956 has a 69% security and it's still vulnerable to the vulnerability of Broadcom Wifi-Driver and many more. (According lineage OS CVE tracker)
Is that the real status of security patches? Or are some of these vulnerabilities already patched?
who is responsible of patching this? Device maintainer? Manufacturer (Xiaomi)? Google with your security patches?
I just want to know how this works and who's in charge, I'm not judging anyone's work.
I just want to how this works and who's in charge, I'm not judging anyone's work.
Thanks for your help and time!
Click to expand...
Click to collapse
I've heard that they have to input all that manually to make it up to date. So it's basically way of date most of the time.
Sent from my XT1650-03 using Tapatalk
swejuggalo said:
I've heard that they have to input all that manually to make it up to date. So it's basically way of date most of the time.
Click to expand...
Click to collapse
Yes the main page of Lineage OS CVE Tracker says that they have to update the info manually.
I want know who's in charge of patching the vulnerabilities!
Hi,
how can I know which is the first nightly build that include Google monthly patches?
Thanks
You can see it in change log
Is there a specific entry in change log or something to understand that this patch is related to monthly security patch?
Since lineage is quite stable I would like to update only one time per month and I think that the best time is after Google patches has been included
The entry is ...security string...
kurtn said:
The entry is ...security string...
Click to expand...
Click to collapse
Thanks
Introduction
Hello everyone, this is a thread to introduce both users and kernel developers to the concept of linux-stable as well as give developers some tips and a tree to either merge into their own, use as a base, or just as a reference. Feel free to ask questions and enjoy!
What is it?
linux-stable is, as the name implies, the stable branch of the Linux kernel, the base of Android. The phone could not run without the Linux kernel (at least not without reworking a lot of stuff). The Android kernels are based on the longterm stable trees:
Longterm
There are usually several "longterm maintenance" kernel releases provided for the purposes of backporting bugfixes for older kernel trees. Only important bugfixes are applied to such kernels and they don't usually see very frequent releases, especially for older trees.
Click to expand...
Click to collapse
Source: https://www.kernel.org/category/releases.html
All Linux development happens on the master branch, which is governed by Linus Torvalds. When issues are discovered there, the fixes are applied then backported to these various stable trees for consumption. It is not uncommon for a fix to need to go back a few years.
There is a LOT more information available in the notes repo in the android-linux-stable organization if you care to learn more in-depth: https://github.com/android-linux-stable/notes
What does this mean for me?
If you are a developer, this means you should be merging these changes into your own tree. These are vetted, stable fixes to real world problems and they are being handed out for free. It does not take long to get up to date (as you can just merge this tree directly into your own or do it yourself using the tree as a reference) and once you are up to date, there is usually a release once every two weeks, give or take. I provide a rebuttal to a lot of various complaints here. If you still feel like there is a good reason not to do this, please let me know, I'll be happy to try and debate on it!
If you are a user, it means that you should be looking for and using kernels that have these fixes, as it shows the developers care for your security and stability. The current version for this device is 4.4.116 and the current version upstream is 4.4.162 so all you need to do is go into Settings > About phone and look at the kernel version to know if you are up to date.
How do I use?
If you are a developer, the reference tree is located in the android-linux-stable organization: https://github.com/android-linux-stable/wahoo
This can either be merged into your existing kernel tree if you have one or be used as a fresh base. You do not need my permission to use it nor do you need to give me credit (although it would be appreciated).
If you are a user, use a kernel that has the changes added in!
Getting notified about updates
There are a few ways to get notified of linux-stable updates:
The linux-kernel-announce mailing list: http://vger.kernel.org/vger-lists.html#linux-kernel-announce
The android-linux-stable Telegram channel: https://t.me/alsupdates
Subscribe to this thread
Follow me on Google+ or Twitter
Getting help
If you have any issues with getting these changes into your tree or want to ask a question, there are a few different ways to do it:
Post in this thread
Join the linux-stable support chat on Telegram: https://t.me/joinchat/C1UAJ1EMSX31PCFdwLnOSg
File an issue either in the android-linux-stable notes repo or the android-linux-stable repo for this device
When requesting help, please give some solid details as to what you are struggling with, as I am happy to provide assistant and clarity but not to do something for you (unless I screwed up).
4.4.103 has been merged in.
4.4.104 has been merged in, with conflict notes updated accordingly.
The repo location has changed (new link is in the OP).
Additionally, an 8.1 branch has been created. Google went from 4.4.56 to 4.4.88 so the branch was redone to avoid conflicts and go with Google's resolution. The notes have been updated as well. Happy kerneling!
4.4.106 has been merged in (conflict notes).
4.4.107 has been merged in.
nathanchance said:
4.4.107 has been merged in.
Click to expand...
Click to collapse
What should we do without you nathanchance .. really appreciate your support
4.4.108 has been merged in.
nathanchance said:
4.4.108 has been merged in.
Click to expand...
Click to collapse
Really appreciate. Merry Christmas
Looking at this thread you are faster than google in update to latest linux-stable. Is google kernels so frankenstein or is there some sense in not using the latest security update?
Thaodan said:
Looking at this thread you are faster than google in update to latest linux-stable. Is google kernels so frankenstein or is there some sense in not using the latest security update?
Click to expand...
Click to collapse
Well Google has their own pipelines they have to go through to get these updates shipped, I don't. Google is about three months behind stable because they don't ship stable updates in their security updates (I think they should). So to be fair, three months ago, 4.4.88 was the latest.
Sent from my Pixel 2 XL using XDA Labs
4.4.109 has been merged in (conflict notes).
nathanchance said:
4.4.109 has been merged in (conflict notes).
Click to expand...
Click to collapse
Super ninja
4.4.110 has been merged in (conflict notes).
4.4.111 has been merged in.
Just as a heads up, I started school on Monday so while the updates will still continue, they may not be as timely as they have in the past, especially if there are conflicts that I need to document.
4.4.112 has been merged in (conflict notes).
I used this conflict in my video talking about thinking through linux-stable conflicts, check it out! https://www.youtube.com/watch?v=yWvU8_0O66A
4.4.113 has been merged in (conflict notes).
nathanchance said:
4.4.113 has been merged in (conflict notes).
Click to expand...
Click to collapse
Really appreciate your effort and help. Thank you so much. Do you mind to share your pre-build Clang 6.0 toolchain? I can't build with Clang 5.0 anymore. I had no issue with Clang 5.0 until 4.4.112. Seem 4.4.113 is broken with Clang 5.0. Thanks in advance
janjan said:
Really appreciate your effort and help. Thank you so much. Do you mind to share your pre-build Clang 6.0 toolchain? I can't build with Clang 5.0 anymore. I had no issue with Clang 5.0 until 4.4.112. Seem 4.4.113 is broken with Clang 5.0. Thanks in advance
Click to expand...
Click to collapse
You must have added something that broke Clang 5.0 then because I built with Clang 5.0 on the Essential Phone after merging in 4.4.113 without any issues.
But here, it's just Google's master branch: https://android.googlesource.com/platform/prebuilts/clang/host/linux-x86/
Sent from my Pixel 2 XL using XDA Labs
nathanchance said:
You must have added something that broke Clang 5.0 then because I built with Clang 5.0 on the Essential Phone after merging in 4.4.113 without any issues.
But here, it's just Google's master branch: https://android.googlesource.com/platform/prebuilts/clang/host/linux-x86/
Click to expand...
Click to collapse
Except Google removed the 6.0 toolchain :silly:
If anyone uses this, just run git revert HEAD
This is the stock kernel that ships with glassrom (or will ship with it)
5g variants are not yet supported
It is based off kirisakura kernel with additional hardening from my side.
You get this:
All the features from kirisakura kernel
Removed qualcomm's rmnet drivers
COMPAT_VDSO is disabled to enable full vDSO ASLR
KSPP patches have been applied
Clang control flow integrity (https://source.android.com/devices/tech/debug/cfi)
Backward edged control flow integrity:
Strong protections enforced by shadowcallstack (https://source.android.com/devices/tech/debug/shadow-call-stack)
Weak protections enforced by adding stack canaries to everything and ensuring ASLR is of a decent enough quality
Compiled with -O3 and Polly for maximum performance
Wireguard driver has been removed
AVB depends on the ROM. Flashing it on glassrom/oxygenos will definitely cause it to boot with enforcing AVB. On other ROMs this shouldn't happen
Selinux forced enforcing patch from Samsung
Yama is enabled and set to SCOPE_NO_ATTACH
Uses sdfat driver to provide vfat and exfat drivers
Todo:
Port Linux-hardened patch
fix fingerprint on oos
Notes:
Flashing it on oxygenos will break dt2w
Flashing the kernel regardless of ROM or device combination will break twrp ramdisk boot. The only way to boot twrp is using fastboot boot, installing it to the ramdisk will always lead to a kernel panic. This is not a bug and will not be fixed
Download: see release post https://forum.xda-developers.com/showpost.php?p=81105101&postcount=8
Source:
https://github.com/GlassROM-devices/android_kernel_oneplus_sm8150
Donations:
Most of the hard work was done by @Freak07 so check out his thread and buy him a coffee
anupritaisno1 said:
This is the stock kernel that ships with glassrom (or will ship with it)
5g variants are not yet supported
It is based off kirisakura kernel with additional hardening from my side.
You get this:
All the features from kirisakura kernel
Removed qualcomm's rmnet drivers
COMPAT_VDSO is disabled to enable full vDSO ASLR
KSPP patches have been applied
Clang control flow integrity (https://source.android.com/devices/tech/debug/cfi)
Backward edged control flow integrity:
Strong protections enforced by shadowcallstack (https://source.android.com/devices/tech/debug/shadow-call-stack)
Weak protections enforced by adding stack canaries to everything and ensuring ASLR is of a decent enough quality
Compiled with -O3 and Polly for maximum performance
Wireguard driver has been removed
AVB depends on the ROM. Flashing it on glassrom/oxygenos will definitely cause it to boot with enforcing AVB. On other ROMs this shouldn't happen
Selinux forced enforcing patch from Samsung
Yama is enabled (does nothing significant for now)
Todo:
Set Yama to level 3 (breaks magisk)
Port Linux-hardened patch
Notes:
Flashing it on oxygenos will break dt2w
Flashing the kernel regardless of ROM or device combination will break twrp ramdisk boot. The only way to boot twrp is using fastboot boot, installing it to the ramdisk will always lead to a kernel panic. This is not a bug and will not be fixed
Download:
https://mirror.apexcdn.net/files/glassrom/unsigned.zip
Source:
https://github.com/GlassROM-devices/android_kernel_oneplus_sm8150
Click to expand...
Click to collapse
Fingerprint is broken on oos
Kaz205 said:
Fingerprint is broken on oos
Click to expand...
Click to collapse
Yeah sorry about that. I'll make a version for oos soon
I did test it for a short while on oos but did not test it enough
Merged in the latest kernel from kirisakura git and also merged in 4.14.156
It boots fine but I don't have a good internet connection to be able to upload it
Will do so soon
anupritaisno1 said:
Merged in the latest kernel from kirisakura git and also merged in 4.14.156
It boots fine but I don't have a good internet connection to be able to upload it
Will do so soon
Click to expand...
Click to collapse
Thanks! Does this one work with OOS?
MrGimpGrumble said:
Thanks! Does this one work with OOS?
Click to expand...
Click to collapse
I eventually plan to stop supporting oos
OOS is proprietary for one and such a system is almost never secure. And if you don't believe me just look at their past vulnerability announcements. Almost all oxygenos vulnerabilities come from the fact that oneplus finds loopholes around Google's CTS. Who knows what other holes they've opened up that Google forgot to add checks for
Further, oos has many "memory optimisation" drivers that directly try to access ram and break most of the security features I'm implementing. Most custom ROMs do not have these and the drivers can be safely disabled
I will also add that this kernel is almost functionally identical with kirisakura kernel. Yes I might merge upstream slightly faster but other than that there is no difference that you would notice. The only difference is that I'm enabling all the security features that must be enabled - especially CFI and shadowcallstack which come standard on any Google pixel device
As for wireguard I just think running a VPN in kernel space is a very bad idea. Not to mention I have confirmed that on Android the tunnel leaks ipv6 traffic if you're not careful and no, disabling ipv6 is not the solution. The userspace go implementation is much safer and I mean it. The userspace implementation almost never leaks ipv6 traffic. Not to mention Go is a much safer language than C
okay new update is in the attachments
changes: linux 4.14.156
upstreamed to oos open beta 6 (doesn't mean fixed fingerprint yet)
upstreamed wifi driver and audio driver to latest caf tag (LA.UM.8.1.r1-12200-sm8150.0)
yama is now at level 3
all upstream changes from kirisakura. except for wake gestures as lineagehw seems to already have those
oos users should disable smart boost from settings
okay new build is here
changelog:
linux 4.14.157
upstreamed sdfat driver
fixed a weird kernel panic that happened on anything other than oxygenos when the device was fast charging from a very low battery
anupritaisno1 said:
okay new build is here
changelog:
linux 4.14.157
upstreamed sdfat driver
fixed a weird kernel panic that happened on anything other than oxygenos when the device was fast charging from a very low battery
Click to expand...
Click to collapse
work on pa?
ryshd296 said:
work on pa?
Click to expand...
Click to collapse
Please test it and let me know
It should boot on any ROM that can enforce selinux
anupritaisno1 said:
Please test it and let me know
It should boot on any ROM that can enforce selinux
Click to expand...
Click to collapse
This sent me into an immediate Qualcomm crash dump upon booting on both stock OOS and Omni for OnePlus 7t global variant.
Previous releases as well, not just the newer release.
scott.hart.bti said:
This sent me into an immediate Qualcomm crash dump upon booting on both stock OOS and Omni for OnePlus 7t global variant.
Previous releases as well, not just the newer release.
Click to expand...
Click to collapse
Please duplicate the crashdump message exactly
Especially send the "PC at" line and the error message if present
If the error message is blank please mention that it is
If you get a PC at __cfi_check_fail message please mention this
@scott.hart.bti still waiting for your response
Please send the crash log if possible
Do i need ma
gisk companion for this?
psychemisha said:
Do i need ma
gisk companion for this?
Click to expand...
Click to collapse
No you don't
However somewhere around ob4 maintaining compatibility with oxygenos became next to impossible without breaking custom ROMs
I think most users are still on OOS. If not I can just release builds for custom ROMs
Costum plz
is the development stopped?