Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e63e9163 authored Sep 20, 2022 by Edwin Wong

[Fix vulnerability] Must validate input for decrypt.

There is a possible out of bounds read in Session::decrypt
due to lack of input validation.

Poc test is in http://go/ag/20002511

Test: sts-tradefed run  sts-dynamic-develop  -m StsHostTestCases -t android.security.sts.Bug_244569759#testPocBug_244569759

Bug: 244569759
Change-Id: I493200ba090226b5362d758c5dcc4b81f94d24c0

parent 6edb934c

drm/mediadrm/plugins/clearkey/aidl/CryptoPlugin.cpp

+5 −0

Original line number	Diff line number	Diff line
		@@ -144,6 +144,11 @@ using ::aidl::android::hardware::drm::Status;
		clearDataLengths.push_back(ss.numBytesOfClearData);
		encryptedDataLengths.push_back(ss.numBytesOfEncryptedData);
		}
		if (in_args.keyId.size() != kBlockSize \|\| in_args.iv.size() != kBlockSize) {
		android_errorWriteLog(0x534e4554, "244569759");
		detailedError = "invalid decrypt parameter size";
		return toNdkScopedAStatus(Status::ERROR_DRM_CANNOT_HANDLE, detailedError);
		}
		auto res =
		mSession->decrypt(in_args.keyId.data(), in_args.iv.data(),
		srcPtr, static_cast<uint8_t*>(destPtr),

drm/mediadrm/plugins/clearkey/hidl/CryptoPlugin.cpp

+5 −0

Original line number	Diff line number	Diff line
		@@ -206,6 +206,11 @@ Return<void> CryptoPlugin::decrypt_1_2(
		return Void();
		} else if (mode == Mode::AES_CTR) {
		size_t bytesDecrypted;
		if (keyId.size() != kBlockSize \|\| iv.size() != kBlockSize) {
		android_errorWriteLog(0x534e4554, "244569759");
		_hidl_cb(Status_V1_2::ERROR_DRM_CANNOT_HANDLE, 0, "invalid decrypt parameter size");
		return Void();
		}
		Status_V1_2 res = mSession->decrypt(keyId.data(), iv.data(), srcPtr,
		static_cast<uint8_t*>(destPtr), toVector(subSamples), &bytesDecrypted);
		if (res == Status_V1_2::OK) {