Google Git
Sign in
android / platform / system / update_engine / refs/tags/android-11.0.0_r33^1..refs/tags/android-11.0.0_r33 / .
commitc71939df6ae98204c94e141e79a33df217d568af[log] [tgz]
authorandroid-build-team Robot <android-build-team-robot@google.com>Sat Dec 19 00:23:18 2020 +0000
committerandroid-build-team Robot <android-build-team-robot@google.com>Sat Dec 19 00:23:18 2020 +0000
tree988b705ee5a8b6da6b8fbaca0ee60461c5ddc267
parent002faadc0f857ef192e598e0c5c0832d0cd7610b [diff]
parent1205ea684e81a6f14db7d5556f3eda2fd014b8d8 [diff]
Snap for 7041858 from 1205ea684e81a6f14db7d5556f3eda2fd014b8d8 to rvc-qpr2-release

Change-Id: I86cab4f88ef1b4cc2c97370fbaa5ddc2a371df16

diff --git a/payload_consumer/delta_performer.cc b/payload_consumer/delta_performer.cc
index 4c4ff04..15973e9 100644
--- a/payload_consumer/delta_performer.cc
+++ b/payload_consumer/delta_performer.cc

@@ -690,27 +690,24 @@
     if (!CanPerformInstallOperation(op))
       return true;
 
-    // Validate the operation only if the metadata signature is present.
-    // Otherwise, keep the old behavior. This serves as a knob to disable
-    // the validation logic in case we find some regression after rollout.
-    // NOTE: If hash checks are mandatory and if metadata_signature is empty,
-    // we would have already failed in ParsePayloadMetadata method and thus not
-    // even be here. So no need to handle that case again here.
-    if (!payload_->metadata_signature.empty()) {
-      // Note: Validate must be called only if CanPerformInstallOperation is
-      // called. Otherwise, we might be failing operations before even if there
-      // isn't sufficient data to compute the proper hash.
-      *error = ValidateOperationHash(op);
-      if (*error != ErrorCode::kSuccess) {
-        if (install_plan_->hash_checks_mandatory) {
-          LOG(ERROR) << "Mandatory operation hash check failed";
-          return false;
-        }
-
-        // For non-mandatory cases, just send a UMA stat.
-        LOG(WARNING) << "Ignoring operation validation errors";
-        *error = ErrorCode::kSuccess;
+    // Validate the operation unconditionally. This helps prevent the
+    // exploitation of vulnerabilities in the patching libraries, e.g. bspatch.
+    // The hash of the patch data for a given operation is embedded in the
+    // payload metadata; and thus has been verified against the public key on
+    // device.
+    // Note: Validate must be called only if CanPerformInstallOperation is
+    // called. Otherwise, we might be failing operations before even if there
+    // isn't sufficient data to compute the proper hash.
+    *error = ValidateOperationHash(op);
+    if (*error != ErrorCode::kSuccess) {
+      if (install_plan_->hash_checks_mandatory) {
+        LOG(ERROR) << "Mandatory operation hash check failed";
+        return false;
       }
+
+      // For non-mandatory cases, just send a UMA stat.
+      LOG(WARNING) << "Ignoring operation validation errors";
+      *error = ErrorCode::kSuccess;
     }
 
     // Makes sure we unblock exit when this operation completes.