crytpfs: fix clobbering of crypto info on keymaster failure

Changing the device lock (even from swipe to none) will cause the master key to be re-encrypted. If at that point keymaster fails (e.g. due to an incompatible keymaster update) cryptfs will write back the now-incomplete crypto metadata. Upon next reboot, userdata can't be decrypted. Now we don't bother writing on keymaster failure. Bug: 19301883 Change-Id: I2b9a1278f8b4d333ac8d567e17e2263005e99409
2015-02-11 13:44:32 -08:00 · 2015-02-11 13:44:32 -08:00 · 933216c886
commit 933216c886
parent d32b75e6dc
1 changed files with 7 additions and 4 deletions
--- a/cryptfs.c
+++ b/cryptfs.c
@ -3285,6 +3285,7 @@ int cryptfs_enable_default(char *howarg, int allow_reboot)
 int cryptfs_changepw(int crypt_type, const char *newpw)
 {
    struct crypt_mnt_ftr crypt_ftr;
+    int rc;

    /* This is only allowed after we've successfully decrypted the master key */
    if (!master_key_saved) {
@ -3310,18 +3311,20 @@ int cryptfs_changepw(int crypt_type, const char *newpw)
        newpw = adjusted_passwd;
    }

-    encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD
+    rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD
                                                        : newpw,
                       crypt_ftr.salt,
                       saved_master_key,
                       crypt_ftr.master_key,
                       &crypt_ftr);
-
+    free(adjusted_passwd);
+    if (rc) {
+        SLOGE("Encrypt master key failed: %d", rc);
+        return -1;
+    }
    /* save the key */
    put_crypt_ftr_and_key(&crypt_ftr);

-    free(adjusted_passwd);
-
 #ifdef CONFIG_HW_DISK_ENCRYPTION
    if (!strcmp((char *)crypt_ftr.crypto_type_name, "aes-xts")) {
        if (crypt_type == CRYPT_TYPE_DEFAULT) {