Snap for 7041858 from 1205ea684e81a6f14db7d5556f3eda2fd014b8d8 to rvc-qpr2-release
Change-Id: I86cab4f88ef1b4cc2c97370fbaa5ddc2a371df16
diff --git a/payload_consumer/delta_performer.cc b/payload_consumer/delta_performer.cc
index 4c4ff04..15973e9 100644
--- a/payload_consumer/delta_performer.cc
+++ b/payload_consumer/delta_performer.cc
@@ -690,27 +690,24 @@
if (!CanPerformInstallOperation(op))
return true;
- // Validate the operation only if the metadata signature is present.
- // Otherwise, keep the old behavior. This serves as a knob to disable
- // the validation logic in case we find some regression after rollout.
- // NOTE: If hash checks are mandatory and if metadata_signature is empty,
- // we would have already failed in ParsePayloadMetadata method and thus not
- // even be here. So no need to handle that case again here.
- if (!payload_->metadata_signature.empty()) {
- // Note: Validate must be called only if CanPerformInstallOperation is
- // called. Otherwise, we might be failing operations before even if there
- // isn't sufficient data to compute the proper hash.
- *error = ValidateOperationHash(op);
- if (*error != ErrorCode::kSuccess) {
- if (install_plan_->hash_checks_mandatory) {
- LOG(ERROR) << "Mandatory operation hash check failed";
- return false;
- }
-
- // For non-mandatory cases, just send a UMA stat.
- LOG(WARNING) << "Ignoring operation validation errors";
- *error = ErrorCode::kSuccess;
+ // Validate the operation unconditionally. This helps prevent the
+ // exploitation of vulnerabilities in the patching libraries, e.g. bspatch.
+ // The hash of the patch data for a given operation is embedded in the
+ // payload metadata; and thus has been verified against the public key on
+ // device.
+ // Note: Validate must be called only if CanPerformInstallOperation is
+ // called. Otherwise, we might be failing operations before even if there
+ // isn't sufficient data to compute the proper hash.
+ *error = ValidateOperationHash(op);
+ if (*error != ErrorCode::kSuccess) {
+ if (install_plan_->hash_checks_mandatory) {
+ LOG(ERROR) << "Mandatory operation hash check failed";
+ return false;
}
+
+ // For non-mandatory cases, just send a UMA stat.
+ LOG(WARNING) << "Ignoring operation validation errors";
+ *error = ErrorCode::kSuccess;
}
// Makes sure we unblock exit when this operation completes.