Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

This project is archived. Its data is read-only.

Commit f69e6a94 authored Dec 16, 2016 by Tianjie Xu

Add a checker for signature boundary in verifier

The 'signature_start' variable marks the location of the signature
from the end of a zip archive. And a boundary check is missing where
'signature_start' should be within the EOCD comment field. This causes
problems when sideloading a malicious package. Also add a corresponding
test.

Bug: 31914369
Test: Verification fails correctly when sideloading recovery_test.zip on
angler.

Change-Id: I6ea96bf04dac5d8d4d6719e678d504f957b4d5c1

parent cc1ecf79

tests/component/verifier_test.cpp

+2 −1

Original line number	Diff line number	Diff line
		@@ -155,4 +155,5 @@ INSTANTIATE_TEST_CASE_P(BadPackage, VerifierFailureTest,
		std::vector<std::string>({"random.zip", "v1"}),
		std::vector<std::string>({"fake-eocd.zip", "v1"}),
		std::vector<std::string>({"alter-metadata.zip", "v1"}),
		std::vector<std::string>({"alter-footer.zip", "v1"})));
		std::vector<std::string>({"alter-footer.zip", "v1"}),
		std::vector<std::string>({"signature-boundary.zip", "v1"})));

tests/testdata/signature-boundary.zip

0 → 100644

+22 B

File added.

No diff preview for this file type.

verifier.cpp

+6 −0

Original line number	Diff line number	Diff line
		@@ -147,6 +147,12 @@ int verify_file(unsigned char* addr, size_t length,
		LOG(INFO) << "comment is " << comment_size << " bytes; signature is " << signature_start
		<< " bytes from end";

		if (signature_start > comment_size) {
		LOG(ERROR) << "signature start: " << signature_start << " is larger than comment size: "
		<< comment_size;
		return VERIFY_FAILURE;
		}

		if (signature_start <= FOOTER_SIZE) {
		LOG(ERROR) << "Signature start is in the footer";
		return VERIFY_FAILURE;