Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f616da17 authored by Tianjie Xu's avatar Tianjie Xu
Browse files

DO NOT MERGE: Add a checker for signature boundary in verifier 

The 'signature_start' variable marks the location of the signature
from the end of a zip archive. And a boundary check is missing where
'signature_start' should be within the EOCD comment field. This causes
problems when sideloading a malicious package. Also add a corresponding
test.

Bug: 31914369
Test: Verification fails correctly when sideloading recovery_test.zip on
angler.

Change-Id: I6ea96bf04dac5d8d4d6719e678d504f957b4d5c1
(cherry-picked from f69e6a94)
(cherry picked from commit 54ea136f)
parent 839b4e59

verifier.cpp

+7 −0
Original line number Diff line number Diff line
@@ -79,6 +79,13 @@ int verify_file(const char* path, const Certificate* pKeys, unsigned int numKeys 
    LOGI("comment is %d bytes; signature %d bytes from end\n",

         comment_size, signature_start);



    if (signature_start > comment_size) {

        LOGE("signature start: %zu is larger than comment size: %zu\n", signature_start,

             comment_size);

        fclose(f);

        return VERIFY_FAILURE;

    }



    if (signature_start - FOOTER_SIZE < RSANUMBYTES) {

        // "signature" block isn't big enough to contain an RSA block.

        LOGE("signature is too short\n");