From 2658c0da40fabf8fff9a765ebd5c5b293c4b57e8 Mon Sep 17 00:00:00 2001 From: Edwin Wong Date: Tue, 26 Jan 2021 20:29:25 -0800 Subject: [PATCH] Fix potential decrypt src pointer overflow. There is a potential integer overflow to bypass the source base size check in decrypt. The source pointer can then point to the outside of the source buffer, which could potentially leak arbitrary memory content to destination pointer. Test: sts-tradefed sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176496160#testPocBug_176496160 Test: push to device with target_hwasan-userdebug build adb shell /data/local/tmp/Bug-17649616064 Bug: 176496160 Bug: 176444786 Change-Id: I811a6f60948bde2a72906c2c6172fd7bc5feb6d9 (cherry picked from commit c14f262876818498b3ca77f1d6df9d4fb7e77b1c) --- drm/1.0/default/CryptoPlugin.cpp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drm/1.0/default/CryptoPlugin.cpp b/drm/1.0/default/CryptoPlugin.cpp index 2db360765b..e6d4e8447b 100644 --- a/drm/1.0/default/CryptoPlugin.cpp +++ b/drm/1.0/default/CryptoPlugin.cpp @@ -124,7 +124,11 @@ namespace implementation { return Void(); } - if (source.offset + offset + source.size > sourceBase->getSize()) { + size_t totalSize = 0; + if (__builtin_add_overflow(source.offset, offset, &totalSize) || + __builtin_add_overflow(totalSize, source.size, &totalSize) || + totalSize > sourceBase->getSize()) { + android_errorWriteLog(0x534e4554, "176496160"); _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size"); return Void(); }