Limit dup_buffer to 16 MiB allocations. Bug: 21888473 Change-Id: I14c658f5c57bd551e4d136b7d6146b8efdfacf27

commit: b9f3abbd210647b7c2a9a0341119fa609ee08d9c [log] [tgz]
author: Shawn Willden <swillden@google.com> Wed Jun 24 13:23:11 2015 -0700
committer: Shawn Willden <swillden@google.com> Mon Jun 29 09:45:43 2015 -0600
tree: 1a7bfee6b0b0b5ee5554948c8a6ed51b7f884a87
parent: b5db8cd73d7846f24cb8f413dfffa81552fac546 [diff]
diff --git a/android_keymaster_utils.cpp b/android_keymaster_utils.cpp
index b0f3ad2..053e72a 100644
--- a/android_keymaster_utils.cpp
+++ b/android_keymaster_utils.cpp

@@ -20,7 +20,13 @@
 
 namespace keymaster {
 
+// Keymaster never manages enormous buffers, so anything particularly large is bad data or the
+// result of a bug.  We arbitrarily set a 16 MiB limit.
+const size_t kMaxDupBufferSize = 16 * 1024 * 1024;
+
 uint8_t* dup_buffer(const void* buf, size_t size) {
+    if (size >= kMaxDupBufferSize)
+        return nullptr;
     uint8_t* retval = new (std::nothrow) uint8_t[size];
     if (retval)
         memcpy(retval, buf, size);

diff --git a/key_blob_test.cpp b/key_blob_test.cpp
index 20349c0..1e590f0 100644
--- a/key_blob_test.cpp
+++ b/key_blob_test.cpp

@@ -328,29 +328,33 @@
 TEST_F(KeyBlobTest, UnderflowTest) {
     uint8_t buf[0];
     keymaster_key_blob_t blob = {buf, 0};
-    KeymasterKeyBlob key_blob1(blob);
-    EXPECT_NE(nullptr, key_blob1.key_material);
-    EXPECT_EQ(0U, key_blob1.key_material_size);
+    KeymasterKeyBlob key_blob(blob);
+    EXPECT_NE(nullptr, key_blob.key_material);
+    EXPECT_EQ(0U, key_blob.key_material_size);
 
     EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB,
-              DeserializeIntegrityAssuredBlob(key_blob1, hidden_, &key_material_, &hw_enforced_,
+              DeserializeIntegrityAssuredBlob(key_blob, hidden_, &key_material_, &hw_enforced_,
                                               &sw_enforced_));
 
     EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB,
-              DeserializeAuthEncryptedBlob(key_blob1, &ciphertext_, &hw_enforced_, &sw_enforced_,
+              DeserializeAuthEncryptedBlob(key_blob, &ciphertext_, &hw_enforced_, &sw_enforced_,
                                            &nonce_, &tag_));
+}
 
-    blob.key_material_size = UINT32_MAX;
-    KeymasterKeyBlob key_blob2(blob);
-    EXPECT_EQ(nullptr, key_blob2.key_material);
-    EXPECT_EQ(0U, key_blob2.key_material_size);
+TEST_F(KeyBlobTest, DupBufferToolarge) {
+    uint8_t buf[0];
+    keymaster_key_blob_t blob = {buf, 0};
+    blob.key_material_size = 16 * 1024 * 1024 + 1;
+    KeymasterKeyBlob key_blob(blob);
+    EXPECT_EQ(nullptr, key_blob.key_material);
+    EXPECT_EQ(0U, key_blob.key_material_size);
 
     ASSERT_EQ(KM_ERROR_INVALID_KEY_BLOB,
-              DeserializeIntegrityAssuredBlob(key_blob2, hidden_, &key_material_, &hw_enforced_,
+              DeserializeIntegrityAssuredBlob(key_blob, hidden_, &key_material_, &hw_enforced_,
                                               &sw_enforced_));
 
     EXPECT_EQ(KM_ERROR_INVALID_KEY_BLOB,
-              DeserializeAuthEncryptedBlob(key_blob2, &ciphertext_, &hw_enforced_, &sw_enforced_,
+              DeserializeAuthEncryptedBlob(key_blob, &ciphertext_, &hw_enforced_, &sw_enforced_,
                                            &nonce_, &tag_));
 }
commit	b9f3abbd210647b7c2a9a0341119fa609ee08d9c	[log] [tgz]
author	Shawn Willden <swillden@google.com>	Wed Jun 24 13:23:11 2015 -0700
committer	Shawn Willden <swillden@google.com>	Mon Jun 29 09:45:43 2015 -0600
tree	1a7bfee6b0b0b5ee5554948c8a6ed51b7f884a87
parent	b5db8cd73d7846f24cb8f413dfffa81552fac546 [diff]