The fields of the ZipArchive on the stack are not initialized before we
call libminzip to parse the zip file. As a result, some random memory
location is freed unintentionally when we close the ZipArchive upon
parsing failures.
Bug: 35385357
Test: recompile and run the poc with asan.
Change-Id: I7e7f8ab4816c84a158af7389e1a889f8fc65f079
The 'signature_start' variable marks the location of the signature
from the end of a zip archive. And a boundary check is missing where
'signature_start' should be within the EOCD comment field. This causes
problems when sideloading a malicious package. Also add a corresponding
test.
Bug: 31914369
Test: Verification fails correctly when sideloading recovery_test.zip on
angler.
Change-Id: I6ea96bf04dac5d8d4d6719e678d504f957b4d5c1
(cherry-picked from f69e6a9475)
(cherry picked from commit 54ea136fde)
The 'signature_start' variable marks the location of the signature
from the end of a zip archive. And a boundary check is missing where
'signature_start' should be within the EOCD comment field. This causes
problems when sideloading a malicious package. Also add a corresponding
test.
Bug: 31914369
Test: Verification fails correctly when sideloading recovery_test.zip on
angler.
Change-Id: I6ea96bf04dac5d8d4d6719e678d504f957b4d5c1
(cherry-picked from f69e6a9475)
Starting healthd in early-init can cause SELinux denials if healthd
or any device-specific libraries try to log.
Now healthd is starting at boot as usual service.
Bug: 30292927
Change-Id: I367d022f5885122da49181db3db536012e83f564
For A/B devices, "view recovery logs" doesn't work due to the lack
of cache partition. To help debugging, we'll show /tmp/recovery.log
instead if /cache is not found.
Change-Id: Idb77c3a4c30388148a210b38d732a7b27e757bba
Test: Tested on an A/B device and /tmp/recovery.log showed up.
Bug: 30905700
(cherry picked from commit a54f75ede8)
This missing header is needed to use PRIu64 macros.
Bug: 27178350
TEST=`mma bootable/recovery` on the failing branch.
Change-Id: I165701e8019256426d3f6a4168db52c6a0197c4d
This patch enables sideloading an OTA on A/B devices while running from
recovery. Recovery accepts the same OTA package format as recent
versions of GMS, which consists of .zip file with the payload in it.
Bug: 27178350
TEST=`adb sideload` successfully a full OTA (*)
TEST=Failed to take several invalid payloads (wrong product,
fingerprint, update type, serial, etc).
<small>(*) with no postinstall script.</small>
Change-Id: I951869340100feb5a37e41fac0ee59c10095659e
Recently flashed devices may not have care_map.txt in /data/ota_package.
This leads to a failure of update-verifier and prevents boot
success flag from being set. So, we need to skip verification
in case the file is not found.
Error message:
... I update_verifier: Started with arg 1: nonencrypted
... I update_verifier: Booting slot 1: isSlotMarkedSuccessful=0
... E update_verifier: Care map /data/ota_package/care_map.txt not found.
... E update_verifier: Failed to verify all blocks in care map file
Bug: 30156449
Change-Id: Ia15f5f3e7ca2ea6981d49678e799b9f70d134faa
The veritymode string used by the bootloader should be lowercase 'eio'
instead of 'EIO'. Fix the typo and change to strcasecmp.
Bug: 27175949
Change-Id: I376dacc70eef7364e2b9931a7c940adedcdb1929
Read all blocks in system and vendor partition during boot time
so that dm-verity could verify this partition is properly flashed.
Bug: 27175949
Change-Id: I38ff7b18ee4f2733e639b89633d36f5ed551c989
Skip the OTA installation when bootreason is 'kernel_panic',
'Panic' etc.
Change-Id: Ic1202492bffefa1a9d8d0e691b5af979285e552c
Test: On angler, ota installation skips for one bootreason in the blacklist.
Bug: 29978689
Add support for landscape layouts to the existing portrait support.
Bug: http://b/29418855
Test: tested manually with "Run graphics test" on flounder/fugu/ryu.
Change-Id: Ib4a62bf5f2b8a1cef6028a01f05145104660560a
Was accidentally broken by the CL in [1].
[1]: commit d6c93afcc2
Bug: 29767315
Change-Id: I851e13ccea6f5be6fcd47f712cc95867245f9934
(cherry picked from commit efacd80364)
bootloader_messages merges bootloader_message_writer
and bootloader.cpp, so we can use the same library to
manage bootloader_message in normal boot and recovery mode.
Bug: 29582118
Change-Id: I9efdf776ef8f02b53911ff43a518e035e0c29618