PawletOS/android_bootable_recovery
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

DO NOT MERGE: Add a checker for signature boundary in verifier

Browse Source 
The 'signature_start' variable marks the location of the signature
from the end of a zip archive. And a boundary check is missing where
'signature_start' should be within the EOCD comment field. This causes
problems when sideloading a malicious package. Also add a corresponding
test.

Bug: 31914369
Test: Verification fails correctly when sideloading recovery_test.zip on
angler.

Change-Id: I6ea96bf04dac5d8d4d6719e678d504f957b4d5c1
(cherry-picked from f69e6a9475)
(cherry picked from commit 54ea136fde)
This commit is contained in:
Tianjie Xu
2016-12-16 16:24:09 -08:00
parent 839b4e592a
commit f616da1726
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
verifier.cpp
+7
View File
@@ -79,6 +79,13 @@ int verify_file(const char* path, const Certificate* pKeys, unsigned int numKeys
LOGI("comment is %d bytes; signature %d bytes from end\n", LOGI("comment is %d bytes; signature %d bytes from end\n",
comment_size, signature_start); comment_size, signature_start);
if (signature_start > comment_size) {
LOGE("signature start: %zu is larger than comment size: %zu\n", signature_start,
comment_size);
fclose(f);
return VERIFY_FAILURE;
}
if (signature_start - FOOTER_SIZE < RSANUMBYTES) { if (signature_start - FOOTER_SIZE < RSANUMBYTES) {
// "signature" block isn't big enough to contain an RSA block. // "signature" block isn't big enough to contain an RSA block.
LOGE("signature is too short\n"); LOGE("signature is too short\n");