mirror of
https://github.com/Evolution-X/hardware_interfaces
synced 2026-02-01 05:49:27 +00:00
Fix potential decrypt destPtr overflow.
There is a potential integer overflow to bypass the destination base size check in decrypt. The destPtr can then point to the outside of the destination buffer. Test: sts-tradefed sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176444622#testPocBug_176444622 Test: push to device with target_hwasan-userdebug build adb shell /data/local/tmp/Bug-17644462264 Bug: 176444622 Bug: 176496353 Change-Id: I63043d10796f82ad805038ba1fad5bd7d5c89961 Merged-In: I63043d10796f82ad805038ba1fad5bd7d5c89961
This commit is contained in:
Edwin Wong
@@ -79,7 +79,7 @@ namespace implementation {
|
||||
}
|
||||
}
|
||||
|
||||
android::CryptoPlugin::Mode legacyMode;
|
||||
android::CryptoPlugin::Mode legacyMode = android::CryptoPlugin::kMode_Unencrypted;
|
||||
switch(mode) {
|
||||
case Mode::UNENCRYPTED:
|
||||
legacyMode = android::CryptoPlugin::kMode_Unencrypted;
|
||||
@@ -142,7 +142,10 @@ namespace implementation {
|
||||
return Void();
|
||||
}
|
||||
|
||||
if (destBuffer.offset + destBuffer.size > destBase->getSize()) {
|
||||
size_t totalSize = 0;
|
||||
if (__builtin_add_overflow(destBuffer.offset, destBuffer.size, &totalSize) ||
|
||||
totalSize > destBase->getSize()) {
|
||||
android_errorWriteLog(0x534e4554, "176496353");
|
||||
_hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size");
|
||||
return Void();
|
||||
}
|
||||
@@ -153,7 +156,7 @@ namespace implementation {
|
||||
}
|
||||
|
||||
base = static_cast<uint8_t *>(static_cast<void *>(destBase->getPointer()));
|
||||
destPtr = static_cast<void *>(base + destination.nonsecureMemory.offset);
|
||||
destPtr = static_cast<void*>(base + destination.nonsecureMemory.offset);
|
||||
} else if (destination.type == BufferType::NATIVE_HANDLE) {
|
||||
if (!secure) {
|
||||
_hidl_cb(Status::BAD_VALUE, 0, "native handle destination must be secure");
|
||||
|
||||
Reference in New Issue
Block a user