Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ff537c85 authored by Edwin Wong's avatar Edwin Wong
Browse files

[RESTRICT AUTOMERGE] Fix potential decrypt destPtr overflow. 

There is a potential integer overflow to bypass the
destination base size check in decrypt. The destPtr
can then point to the outside of the destination buffer.

Test: sts-tradefed
  sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176444622#testPocBug_176444622

Test: push to device with target_hwasan-userdebug build
  adb shell /data/local/tmp/Bug-17644462264

Bug: 176444622
Bug: 176496353
Change-Id: I71b390846a17aecbb9180865e1f9538b4b464abf
parent b64b7704

drm/1.0/default/CryptoPlugin.cpp

+6 −3
Original line number Diff line number Diff line
@@ -80,7 +80,7 @@ namespace implementation { 
            }

        }



        android::CryptoPlugin::Mode legacyMode;

        android::CryptoPlugin::Mode legacyMode = android::CryptoPlugin::kMode_Unencrypted;

        switch(mode) {

        case Mode::UNENCRYPTED:

            legacyMode = android::CryptoPlugin::kMode_Unencrypted;
@@ -147,7 +147,10 @@ namespace implementation { 
                return Void();

            }



            if (destBuffer.offset + destBuffer.size > destBase->getSize()) {

            size_t totalDstSize = 0;

            if (__builtin_add_overflow(destBuffer.offset, destBuffer.size, &totalDstSize) ||

                totalDstSize > destBase->getSize()) {

                android_errorWriteLog(0x534e4554, "176496353");

                _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size");

                return Void();

            }