diff options
| author | Xin Li <delphij@google.com> | 2021-03-02 15:50:00 -0800 |
|---|---|---|
| committer | Xin Li <delphij@google.com> | 2021-03-03 09:12:28 -0800 |
| commit | a2e70181ea64319892fd8a02f2ece472d40ce35c (patch) | |
| tree | 1e2f81664cba387b0e3b9148833b2f0782827d38 | |
| parent | b93055f15cf30fbb50107fdc3a55867c2487e141 (diff) | |
| parent | bacace702391ea252e6d23ee87669e6a9006c8ba (diff) | |
Merge RQ2A.210305.007
Bug: 180401296
Merged-In: I8f9c80d4a854243e09d5f7228a0c94a4b8dbd93a
Change-Id: I31e9e7bd57d531a274cafffcdbc261eceb99e9aa
| -rw-r--r-- | payload_consumer/delta_performer.cc | 37 |
1 files changed, 17 insertions, 20 deletions
diff --git a/payload_consumer/delta_performer.cc b/payload_consumer/delta_performer.cc index cda8bc10..f26dd482 100644 --- a/payload_consumer/delta_performer.cc +++ b/payload_consumer/delta_performer.cc @@ -521,27 +521,24 @@ bool DeltaPerformer::Write(const void* bytes, size_t count, ErrorCode* error) { if (!CanPerformInstallOperation(op)) return true; - // Validate the operation only if the metadata signature is present. - // Otherwise, keep the old behavior. This serves as a knob to disable - // the validation logic in case we find some regression after rollout. - // NOTE: If hash checks are mandatory and if metadata_signature is empty, - // we would have already failed in ParsePayloadMetadata method and thus not - // even be here. So no need to handle that case again here. - if (!payload_->metadata_signature.empty()) { - // Note: Validate must be called only if CanPerformInstallOperation is - // called. Otherwise, we might be failing operations before even if there - // isn't sufficient data to compute the proper hash. - *error = ValidateOperationHash(op); - if (*error != ErrorCode::kSuccess) { - if (install_plan_->hash_checks_mandatory) { - LOG(ERROR) << "Mandatory operation hash check failed"; - return false; - } - - // For non-mandatory cases, just send a UMA stat. - LOG(WARNING) << "Ignoring operation validation errors"; - *error = ErrorCode::kSuccess; + // Validate the operation unconditionally. This helps prevent the + // exploitation of vulnerabilities in the patching libraries, e.g. bspatch. + // The hash of the patch data for a given operation is embedded in the + // payload metadata; and thus has been verified against the public key on + // device. + // Note: Validate must be called only if CanPerformInstallOperation is + // called. Otherwise, we might be failing operations before even if there + // isn't sufficient data to compute the proper hash. + *error = ValidateOperationHash(op); + if (*error != ErrorCode::kSuccess) { + if (install_plan_->hash_checks_mandatory) { + LOG(ERROR) << "Mandatory operation hash check failed"; + return false; } + + // For non-mandatory cases, just send a UMA stat. + LOG(WARNING) << "Ignoring operation validation errors"; + *error = ErrorCode::kSuccess; } // Makes sure we unblock exit when this operation completes. |