GrapheneOS v2023110700: November Security Patch

“Our latest release has hardware memory tagging (MTE) support for hardened_malloc enabled by default for 8th generation Pixels which added support for it.””We also want to enable Clang’s stack allocation MTE and Chromium’s MTE support for Vanadium soon.”

What’s changed

full 2023-11-01 security patch levelfull 2023-11-05 security patch level for generic targets and 5th/8th generation Pixels (6th/7th generation Pixels are marked as 2023-11-01 upstream which may be due to a missing Mali GPU kernel patch we can work on obtaining to apply early)rebased onto UP1A.231105.003 (generic) and UD1A.231105.004 (shusky) Android Open Source Project releasesPixel 8, Pixel 8 Pro: always enable hardware memory tagging (there is no longer an opt-in toggle) which is currently used everywhere other than Vanadium (coming soon), vendor executables and user installed apps with their own native code not marked as compatible with memory taggingdisable GWP-ASan since it’s a bug finding feature rather than a hardening feature and doesn’t preserve all the hardened_malloc security properties for the random allocations in random system processes where it gets activated especially now that memory tagging is supportedLauncher: add missing catch for null pointer exception (upstream bug) triggered by Signalrevert change to show crash dialog for first crash of an app since boot since this results in a high support burden from the many third party app crashes it uncovers especially since it’s not enabled on the stock OSalways compile VPN service packages with speed filter to avoid background recompilation since many of these apps only automatically connect at boot and the user has to manually reconnect if the OS restarts them such as when users manually trigger app restart via the background recompilation notificationkernel (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Generic 5.10): update to latest GKI LTS branch revision including update to 5.10.199backport health permission UI fixes from AOSPbackport DocumentsUI (Files) fix from AOSP preventing bypassing restrictions via initial open directoryGmsCompatConfig: update to version 81GmsCompatConfig: update to version 82use sdk_phone_x86_64 (emulator) target as the default one for convenienceflash-all: raise minimum fastboot version to 34.0.4

Full Changelog / Archive
Announcement

Leave a Reply

Your email address will not be published. Required fields are marked *