diff options
author | Tianjie Xu <xunchang@google.com> | 2016-12-16 16:24:09 -0800 |
---|---|---|
committer | gitbuildkicker <android-build@google.com> | 2017-01-20 13:44:56 -0800 |
commit | 8c515631874d78ca9d2c34ea12ab7ddd1665da0e (patch) | |
tree | f90c7c7c1e65b8ad4279dfe4883e46a80e0a7321 | |
parent | 37d7d67ca216972cba9259aa5866220d6abfaf14 (diff) | |
download | recovery-nougat-mr1-volantis-release.tar.gz |
Add a checker for signature boundary in verifierandroid-7.1.1_r58android-7.1.1_r54android-7.1.1_r53android-7.1.1_r51android-7.1.1_r49android-7.1.1_r47android-7.1.1_r46android-7.1.1_r44android-7.1.1_r43android-7.1.1_r41android-7.1.1_r39android-7.1.1_r33android-7.1.1_r32android-7.1.1_r31android-7.1.1_r24nougat-mr1.1-releasenougat-mr1-volantis-releasenougat-mr1-flounder-release
The 'signature_start' variable marks the location of the signature
from the end of a zip archive. And a boundary check is missing where
'signature_start' should be within the EOCD comment field. This causes
problems when sideloading a malicious package. Also add a corresponding
test.
Bug: 31914369
Test: Verification fails correctly when sideloading recovery_test.zip on
angler.
Change-Id: I6ea96bf04dac5d8d4d6719e678d504f957b4d5c1
(cherry-picked from f69e6a9475983b2ad46729e44ab58d2b22cd74d0)
(cherry picked from commit 54ea136fded56810bf475885eb4bd7bf1b11f09c)
-rw-r--r-- | verifier.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/verifier.cpp b/verifier.cpp index 16cc7cf0..2d1b0e74 100644 --- a/verifier.cpp +++ b/verifier.cpp @@ -146,6 +146,12 @@ int verify_file(unsigned char* addr, size_t length, LOGI("comment is %zu bytes; signature %zu bytes from end\n", comment_size, signature_start); + if (signature_start > comment_size) { + LOGE("signature start: %zu is larger than comment size: %zu\n", signature_start, + comment_size); + return VERIFY_FAILURE; + } + if (signature_start <= FOOTER_SIZE) { LOGE("Signature start is in the footer"); return VERIFY_FAILURE; |