tequilaOS/platform_hardware_interfaces
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

[RESTRICT AUTOMERGE] Fix potential decrypt destPtr overflow.

Browse source 
There is a potential integer overflow to bypass the
destination base size check in decrypt. The destPtr
can then point to the outside of the destination buffer.

Test: sts-tradefed
  sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176444622#testPocBug_176444622

Test: push to device with target_hwasan-userdebug build
  adb shell /data/local/tmp/Bug-17644462264

Bug: 176444622
Bug: 176496353
Change-Id: I75ae057793a4ff4e4f52a8577bef189ad842fb0e
This commit is contained in:
Edwin Wong 2021-02-02 10:04:02 -08:00
parent 072cdf233c
commit d468101f14
1 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
drm/1.0/default/CryptoPlugin.cpp
View file

@ -80,7 +80,7 @@ namespace implementation {
}
}
android::CryptoPlugin::Mode legacyMode;
android::CryptoPlugin::Mode legacyMode = android::CryptoPlugin::kMode_Unencrypted;
switch(mode) {
case Mode::UNENCRYPTED:
legacyMode = android::CryptoPlugin::kMode_Unencrypted;
@ -149,7 +149,10 @@ namespace implementation {
return Void();
}
if (destBuffer.offset + destBuffer.size > destBase->getSize()) {
size_t totalDstSize = 0;
if (__builtin_add_overflow(destBuffer.offset, destBuffer.size, &totalDstSize) ||
totalDstSize > destBase->getSize()) {
android_errorWriteLog(0x534e4554, "176496353");
_hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size");
return Void();
}