Google Git
Sign in
android / platform / system / update_engine / refs/tags/android-security-9.0.0_r64^! / .
commit73cc6ef6f658d985d9794dc01b08080941ac20f7[log] [tgz]
authorSen Jiang <senj@google.com>Wed Sep 19 14:29:44 2018 -0700
committerRohit Yengisetty <rngy@google.com>Tue Oct 16 17:30:25 2018 -0700
tree2e832fa33f6249e11659f1eeae0255fe37fc8b56
parente5d1deba6185ba59da0345cb970d2d60c312ab76 [diff]
Check metadata size in payload.

Detect overflow for unsigned integer addition.

Bug: 113118184
Test: manual test with a hand crafted payload
Change-Id: I0155de49c241c392fb74f3d830ceebdb4174f872
(cherry picked from commit 08769f9c05199f96b257eded926975fd83c6edbf)
(cherry picked from commit 3e9410898d2687d7df3bdb03c6830d3ec428c2c6)

diff --git a/payload_consumer/payload_metadata.cc b/payload_consumer/payload_metadata.cc
index fe2df0a..6b8d448 100644
--- a/payload_consumer/payload_metadata.cc
+++ b/payload_consumer/payload_metadata.cc

@@ -109,6 +109,13 @@
          kDeltaManifestSizeSize);
   manifest_size_ = be64toh(manifest_size_);  // switch big endian to host
 
+  metadata_size_ = manifest_offset + manifest_size_;
+  if (metadata_size_ < manifest_size_) {
+    // Overflow detected.
+    *error = ErrorCode::kDownloadInvalidMetadataSize;
+    return MetadataParseResult::kError;
+  }
+
   if (GetMajorVersion() == kBrilloMajorPayloadVersion) {
     // Parse the metadata signature size.
     static_assert(
@@ -123,8 +130,13 @@
            &payload[metadata_signature_size_offset],
            kDeltaMetadataSignatureSizeSize);
     metadata_signature_size_ = be32toh(metadata_signature_size_);
+
+    if (metadata_size_ + metadata_signature_size_ < metadata_size_) {
+      // Overflow detected.
+      *error = ErrorCode::kDownloadInvalidMetadataSize;
+      return MetadataParseResult::kError;
+    }
   }
-  metadata_size_ = manifest_offset + manifest_size_;
   return MetadataParseResult::kSuccess;
 }
 

diff --git a/update_attempter_android.cc b/update_attempter_android.cc
index 04ccb18..406e40a 100644
--- a/update_attempter_android.cc
+++ b/update_attempter_android.cc

@@ -357,14 +357,17 @@
                           "Failed to parse payload header: " +
                               utils::ErrorCodeToString(errorcode));
   }
-  metadata.resize(payload_metadata.GetMetadataSize() +
-                  payload_metadata.GetMetadataSignatureSize());
-  if (metadata.size() < kMaxPayloadHeaderSize) {
+  uint64_t metadata_size = payload_metadata.GetMetadataSize() +
+                           payload_metadata.GetMetadataSignatureSize();
+  if (metadata_size < kMaxPayloadHeaderSize ||
+      metadata_size >
+          static_cast<uint64_t>(utils::FileSize(metadata_filename))) {
     return LogAndSetError(
         error,
         FROM_HERE,
-        "Metadata size too small: " + std::to_string(metadata.size()));
+        "Invalid metadata size: " + std::to_string(metadata_size));
   }
+  metadata.resize(metadata_size);
   if (!fd->Read(metadata.data() + kMaxPayloadHeaderSize,
                 metadata.size() - kMaxPayloadHeaderSize)) {
     return LogAndSetError(