Commit 7e54c3f2 authored by y's avatar y Committed by Atanas Kirilov

ResStringPool: Fix security vulnerability

Adds detection of attacker-modified size and data fields passed to
ResStringPool::setTo(). These attacks are modified apks that AAPT would
not normally generate. In the rare case this occurs, the installation
cannot be allowed to continue.

Bug: 71361168
Bug: 71360999
Test: run cts -m CtsAppSecurityHostTestCases \
          -t android.appsecurity.cts.CorruptApkTests

Change-Id: If7eb93a9e723b16c8a0556fc4e20006aa0391d57
Merged-In: If7eb93a9e723b16c8a0556fc4e20006aa0391d57
parent de71ee46
......@@ -455,6 +455,22 @@ status_t ResStringPool::setTo(const void* data, size_t size, bool copyData)
// The chunk must be at least the size of the string pool header.
if (size < sizeof(ResStringPool_header)) {
LOG_ALWAYS_FATAL("Bad string block: data size %zu is too small to be a string block", size);
return (mError=BAD_TYPE);
// The data is at least as big as a ResChunk_header, so we can safely validate the other
// header fields.
// `data + size` is safe because the source of `size` comes from the kernel/filesystem.
if (validate_chunk(reinterpret_cast<const ResChunk_header*>(data), sizeof(ResStringPool_header),
reinterpret_cast<const uint8_t*>(data) + size,
"ResStringPool_header") != NO_ERROR) {
LOG_ALWAYS_FATAL("Bad string block: malformed block dimensions");
return (mError=BAD_TYPE);
const bool notDeviceEndian = htods(0xf0) != 0xf0;
if (copyData || notDeviceEndian) {
......@@ -466,6 +482,8 @@ status_t ResStringPool::setTo(const void* data, size_t size, bool copyData)
data = mOwnedData;
// The size has been checked, so it is safe to read the data in the ResStringPool_header
// data structure.
mHeader = (const ResStringPool_header*)data;
if (notDeviceEndian) {
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment