Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5dd7590c authored by Robert Shih's avatar Robert Shih
Browse files

[RESTRICT AUTOMERGE] clearkey hidl CryptoPlugin: security fixes 

* reject native handle output
* validate subsample sizes

Bug: 137283376
Test: cryptopoc
Change-Id: Ic4267fdc0e391bdecc1caab3b8fd4aa34ad76541
parent 874ec86e

drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp

+28 −18
Original line number Diff line number Diff line
@@ -77,6 +77,10 @@ Return<void> CryptoPlugin::decrypt( 
                 "destination decrypt buffer base not set");

        return Void();

      }

    } else {

        _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0,

                 "destination type not supported");

        return Void();

    }



    sp<IMemory> sourceBase = mSharedBufferMap[source.bufferId];
@@ -94,7 +98,7 @@ Return<void> CryptoPlugin::decrypt( 
            (static_cast<void *>(sourceBase->getPointer()));

    uint8_t* srcPtr = static_cast<uint8_t *>(base + source.offset + offset);

    void* destPtr = NULL;

    if (destination.type == BufferType::SHARED_MEMORY) {

    // destination.type == BufferType::SHARED_MEMORY

    const SharedBuffer& destBuffer = destination.nonsecureMemory;

    sp<IMemory> destBase = mSharedBufferMap[destBuffer.bufferId];

    if (destBase == nullptr) {
@@ -107,11 +111,6 @@ Return<void> CryptoPlugin::decrypt( 
        return Void();

    }

    destPtr = static_cast<void *>(base + destination.nonsecureMemory.offset);

    } else if (destination.type == BufferType::NATIVE_HANDLE) {

        native_handle_t *handle = const_cast<native_handle_t *>(

        destination.secureMemory.getNativeHandle());

        destPtr = static_cast<void *>(handle);

    }



    // Calculate the output buffer size and determine if any subsamples are

    // encrypted.
@@ -119,13 +118,24 @@ Return<void> CryptoPlugin::decrypt( 
    bool haveEncryptedSubsamples = false;

    for (size_t i = 0; i < subSamples.size(); i++) {

        const SubSample &subSample = subSamples[i];

        destSize += subSample.numBytesOfClearData;

        destSize += subSample.numBytesOfEncryptedData;

        if (__builtin_add_overflow(destSize, subSample.numBytesOfClearData, &destSize)) {

            _hidl_cb(Status::BAD_VALUE, 0, "subsample clear size overflow");

            return Void();

        }

        if (__builtin_add_overflow(destSize, subSample.numBytesOfEncryptedData, &destSize)) {

            _hidl_cb(Status::BAD_VALUE, 0, "subsample encrypted size overflow");

            return Void();

        }

        if (subSample.numBytesOfEncryptedData > 0) {

        haveEncryptedSubsamples = true;

        }

    }



    if (destSize > destBuffer.size) {

        _hidl_cb(Status::BAD_VALUE, 0, "subsample sum too large");

        return Void();

    }



    if (mode == Mode::UNENCRYPTED) {

        if (haveEncryptedSubsamples) {

            _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0,