Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5bfe56ad authored by Edwin Wong's avatar Edwin Wong Committed by android-build-team Robot
Browse files

[RESTRICT AUTOMERGE] Fix potential decrypt destPtr overflow. 

There is a potential integer overflow to bypass the
destination base size check in decrypt. The destPtr
can then point to the outside of the destination buffer.

Test: sts-tradefed
  sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176444622#testPocBug_176444622

Test: push to device with target_hwasan-userdebug build
  adb shell /data/local/tmp/Bug-17644462264

Bug: 176444622
Bug: 176496353
Change-Id: I5fed981c4b0f70db6cdce532c446e264768e964c
(cherry picked from commit 3c9044cd)
parent 36a9ecd9

drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp

+5 −3
Original line number Diff line number Diff line
@@ -142,13 +142,15 @@ Return<void> CryptoPlugin::decrypt_1_2( 


    base = static_cast<uint8_t *>(static_cast<void *>(destBase->getPointer()));



    if (destBuffer.offset + destBuffer.size > destBase->getSize()) {

    totalSize = 0;

    if (__builtin_add_overflow(destBuffer.offset, destBuffer.size, &totalSize) ||

        totalSize > destBase->getSize()) {

        android_errorWriteLog(0x534e4554, "176444622");

        _hidl_cb(Status_V1_2::ERROR_DRM_FRAME_TOO_LARGE, 0, "invalid buffer size");

        return Void();

    }

    destPtr = static_cast<void*>(base + destination.nonsecureMemory.offset);





    // Calculate the output buffer size and determine if any subsamples are

    // encrypted.

    size_t destSize = 0;