diff options
author | Janis Danisevskis <jdanis@google.com> | 2018-06-04 17:25:45 -0700 |
---|---|---|
committer | Janis Danisevskis <jdanis@google.com> | 2018-06-04 17:44:58 -0700 |
commit | c6d9000526f463bc109964b73ed751ae09fc2da7 (patch) | |
tree | 6dbc19849752c206e135ab59349ebb1cc62bb435 /contexts | |
parent | a1a25ff30e8e9f46d4da72bac672469352c839bb (diff) | |
download | android_system_keymaster-c6d9000526f463bc109964b73ed751ae09fc2da7.tar.gz android_system_keymaster-c6d9000526f463bc109964b73ed751ae09fc2da7.tar.bz2 android_system_keymaster-c6d9000526f463bc109964b73ed751ae09fc2da7.zip |
Invalid ownership transfer in keymaster2_passthrough_context
In Keymaster2PassthroughContext::ParseKeyBlob we use GetTagValue to
retrieve the blobs of application id and application value. GetTagValue
only fills a keymaster_blob_t with pointers to memory owned by the
corresponding AuthorizationSet, however, we passed in pointers to
KeymasterBob which takes ownership leading to an invalid free.
This was independently reported and fixed by:
Yan, Shaopu <shaopu.yan@intel.com>
vink.shen@mediatek.corp-partner.google.com
Bug: 79305673
Bug: 80554869
Change-Id: I1c8e54ba5fe1d2d6b70abc9cf95432fb1c5e55f6
Diffstat (limited to 'contexts')
-rw-r--r-- | contexts/keymaster2_passthrough_context.cpp | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/contexts/keymaster2_passthrough_context.cpp b/contexts/keymaster2_passthrough_context.cpp index fe904ea..678eaaa 100644 --- a/contexts/keymaster2_passthrough_context.cpp +++ b/contexts/keymaster2_passthrough_context.cpp @@ -69,10 +69,10 @@ keymaster_error_t Keymaster2PassthroughContext::UpgradeKeyBlob( keymaster_error_t Keymaster2PassthroughContext::ParseKeyBlob(const KeymasterKeyBlob& blob, const AuthorizationSet& additional_params, UniquePtr<Key>* key) const { keymaster_key_characteristics_t characteristics = {}; - KeymasterBlob clientId; - KeymasterBlob applicationData; - KeymasterBlob* clientIdPtr = &clientId; - KeymasterBlob* applicationDataPtr = &applicationData; + keymaster_blob_t clientId; + keymaster_blob_t applicationData; + keymaster_blob_t* clientIdPtr = &clientId; + keymaster_blob_t* applicationDataPtr = &applicationData; if (!additional_params.GetTagValue(TAG_APPLICATION_ID, clientIdPtr)) { clientIdPtr = nullptr; } |