diff options
| author | Robert Shih <robertshih@google.com> | 2019-09-11 14:10:14 -0700 |
|---|---|---|
| committer | Max Spector <mspector@google.com> | 2019-09-18 17:13:43 -0700 |
| commit | fdcf5a9b0d68602ce1aacb69605d885ecaaf8c84 (patch) | |
| tree | 4a58aa9ca34e3262de1faca84c9bda93d3fb0130 | |
| parent | 6e253ab2c96b79ba95e116ece5a11715e6f61e29 (diff) | |
| download | android_hardware_interfaces-fdcf5a9b0d68602ce1aacb69605d885ecaaf8c84.tar.gz android_hardware_interfaces-fdcf5a9b0d68602ce1aacb69605d885ecaaf8c84.tar.bz2 android_hardware_interfaces-fdcf5a9b0d68602ce1aacb69605d885ecaaf8c84.zip | |
default hidl CryptoPlugin: security fixes [RESTRICT AUTOMERGE]
* reject native handle output for clearkey
* validate subsample sizes
Bug: 137370777
Test: cryptopoc
Change-Id: I2a81f2a00ebf7954b16fb10d2af586ce0da801ed
(cherry picked from commit d22f1447fe2fc10dbf45bde6fb4a7cb6f7a8a7ca)
| -rw-r--r-- | drm/1.0/default/CryptoPlugin.cpp | 35 |
1 files changed, 31 insertions, 4 deletions
diff --git a/drm/1.0/default/CryptoPlugin.cpp b/drm/1.0/default/CryptoPlugin.cpp index fd75dbd3f..aa5c6edc6 100644 --- a/drm/1.0/default/CryptoPlugin.cpp +++ b/drm/1.0/default/CryptoPlugin.cpp @@ -102,11 +102,22 @@ namespace implementation { android::CryptoPlugin::SubSample *legacySubSamples = new android::CryptoPlugin::SubSample[subSamples.size()]; + size_t destSize = 0; for (size_t i = 0; i < subSamples.size(); i++) { - legacySubSamples[i].mNumBytesOfClearData - = subSamples[i].numBytesOfClearData; - legacySubSamples[i].mNumBytesOfEncryptedData - = subSamples[i].numBytesOfEncryptedData; + uint32_t numBytesOfClearData = subSamples[i].numBytesOfClearData; + legacySubSamples[i].mNumBytesOfClearData = numBytesOfClearData; + uint32_t numBytesOfEncryptedData = subSamples[i].numBytesOfEncryptedData; + legacySubSamples[i].mNumBytesOfEncryptedData = numBytesOfEncryptedData; + if (__builtin_add_overflow(destSize, numBytesOfClearData, &destSize)) { + delete[] legacySubSamples; + _hidl_cb(Status::BAD_VALUE, 0, "subsample clear size overflow"); + return Void(); + } + if (__builtin_add_overflow(destSize, numBytesOfEncryptedData, &destSize)) { + delete[] legacySubSamples; + _hidl_cb(Status::BAD_VALUE, 0, "subsample encrypted size overflow"); + return Void(); + } } AString detailMessage; @@ -138,11 +149,27 @@ namespace implementation { _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size"); return Void(); } + + if (destSize > destBuffer.size) { + delete[] legacySubSamples; + _hidl_cb(Status::BAD_VALUE, 0, "subsample sum too large"); + return Void(); + } + destPtr = static_cast<void *>(base + destination.nonsecureMemory.offset); } else if (destination.type == BufferType::NATIVE_HANDLE) { + if (!secure) { + delete[] legacySubSamples; + _hidl_cb(Status::BAD_VALUE, 0, "native handle destination must be secure"); + return Void(); + } native_handle_t *handle = const_cast<native_handle_t *>( destination.secureMemory.getNativeHandle()); destPtr = static_cast<void *>(handle); + } else { + delete[] legacySubSamples; + _hidl_cb(Status::BAD_VALUE, 0, "invalid destination type"); + return Void(); } ssize_t result = mLegacyPlugin->decrypt(secure, keyId.data(), iv.data(), legacyMode, legacyPattern, srcPtr, legacySubSamples, |