From d22f1447fe2fc10dbf45bde6fb4a7cb6f7a8a7ca Mon Sep 17 00:00:00 2001 From: Robert Shih Date: Wed, 11 Sep 2019 14:10:14 -0700 Subject: [PATCH] default hidl CryptoPlugin: security fixes [RESTRICT AUTOMERGE] * reject native handle output for clearkey * validate subsample sizes Bug: 137370777 Test: cryptopoc Change-Id: I2a81f2a00ebf7954b16fb10d2af586ce0da801ed --- drm/1.0/default/CryptoPlugin.cpp | 35 ++++++++++++++++++++++++++++---- 1 file changed, 31 insertions(+), 4 deletions(-) diff --git a/drm/1.0/default/CryptoPlugin.cpp b/drm/1.0/default/CryptoPlugin.cpp index 591861aeec..6626c0172f 100644 --- a/drm/1.0/default/CryptoPlugin.cpp +++ b/drm/1.0/default/CryptoPlugin.cpp @@ -98,11 +98,22 @@ namespace implementation { android::CryptoPlugin::SubSample *legacySubSamples = new android::CryptoPlugin::SubSample[subSamples.size()]; + size_t destSize = 0; for (size_t i = 0; i < subSamples.size(); i++) { - legacySubSamples[i].mNumBytesOfClearData - = subSamples[i].numBytesOfClearData; - legacySubSamples[i].mNumBytesOfEncryptedData - = subSamples[i].numBytesOfEncryptedData; + uint32_t numBytesOfClearData = subSamples[i].numBytesOfClearData; + legacySubSamples[i].mNumBytesOfClearData = numBytesOfClearData; + uint32_t numBytesOfEncryptedData = subSamples[i].numBytesOfEncryptedData; + legacySubSamples[i].mNumBytesOfEncryptedData = numBytesOfEncryptedData; + if (__builtin_add_overflow(destSize, numBytesOfClearData, &destSize)) { + delete[] legacySubSamples; + _hidl_cb(Status::BAD_VALUE, 0, "subsample clear size overflow"); + return Void(); + } + if (__builtin_add_overflow(destSize, numBytesOfEncryptedData, &destSize)) { + delete[] legacySubSamples; + _hidl_cb(Status::BAD_VALUE, 0, "subsample encrypted size overflow"); + return Void(); + } } AString detailMessage; @@ -125,11 +136,27 @@ namespace implementation { _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size"); return Void(); } + + if (destSize > destBuffer.size) { + delete[] legacySubSamples; + _hidl_cb(Status::BAD_VALUE, 0, "subsample sum too large"); + return Void(); + } + destPtr = static_cast(base + destination.nonsecureMemory.offset); } else if (destination.type == BufferType::NATIVE_HANDLE) { + if (!secure) { + delete[] legacySubSamples; + _hidl_cb(Status::BAD_VALUE, 0, "native handle destination must be secure"); + return Void(); + } native_handle_t *handle = const_cast( destination.secureMemory.getNativeHandle()); destPtr = static_cast(handle); + } else { + delete[] legacySubSamples; + _hidl_cb(Status::BAD_VALUE, 0, "invalid destination type"); + return Void(); } ssize_t result = mLegacyPlugin->decrypt(secure, keyId.data(), iv.data(), legacyMode, legacyPattern, srcPtr, legacySubSamples,