diff options
| author | Edwin Wong <edwinwong@google.com> | 2021-02-02 10:42:38 -0800 |
|---|---|---|
| committer | Edwin Wong <edwinwong@google.com> | 2021-02-25 17:43:13 +0000 |
| commit | a6e551feef4e5faeec9ecc6b287eeade751e7f8b (patch) | |
| tree | f94275254932234016f86b5b4b4c02a752acd0e6 /drm/1.0/default/CryptoPlugin.cpp | |
| parent | c14f262876818498b3ca77f1d6df9d4fb7e77b1c (diff) | |
[RESTRICT AUTOMERGE] Fix potential decrypt destPtr overflow.
There is a potential integer overflow to bypass the
destination base size check in decrypt. The destPtr
can then point to the outside of the destination buffer.
Test: sts-tradefed
sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176444622#testPocBug_176444622
Test: push to device with target_hwasan-userdebug build
adb shell /data/local/tmp/Bug-17644462264
Bug: 176444622
Bug: 176496353
Change-Id: I71b390846a17aecbb9180865e1f9538b4b464abf
Diffstat (limited to 'drm/1.0/default/CryptoPlugin.cpp')
| -rw-r--r-- | drm/1.0/default/CryptoPlugin.cpp | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/drm/1.0/default/CryptoPlugin.cpp b/drm/1.0/default/CryptoPlugin.cpp index e6d4e8447b..653708e12c 100644 --- a/drm/1.0/default/CryptoPlugin.cpp +++ b/drm/1.0/default/CryptoPlugin.cpp @@ -79,7 +79,7 @@ namespace implementation { } } - android::CryptoPlugin::Mode legacyMode; + android::CryptoPlugin::Mode legacyMode = android::CryptoPlugin::kMode_Unencrypted; switch(mode) { case Mode::UNENCRYPTED: legacyMode = android::CryptoPlugin::kMode_Unencrypted; @@ -146,7 +146,10 @@ namespace implementation { return Void(); } - if (destBuffer.offset + destBuffer.size > destBase->getSize()) { + size_t totalDstSize = 0; + if (__builtin_add_overflow(destBuffer.offset, destBuffer.size, &totalDstSize) || + totalDstSize > destBase->getSize()) { + android_errorWriteLog(0x534e4554, "176496353"); _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size"); return Void(); } @@ -157,7 +160,7 @@ namespace implementation { } base = static_cast<uint8_t *>(static_cast<void *>(destBase->getPointer())); - destPtr = static_cast<void *>(base + destination.nonsecureMemory.offset); + destPtr = static_cast<void*>(base + destination.nonsecureMemory.offset); } else if (destination.type == BufferType::NATIVE_HANDLE) { if (!secure) { _hidl_cb(Status::BAD_VALUE, 0, "native handle destination must be secure"); |