Google Git
Sign in
android / platform / system / update_engine / refs/heads/pie-b4s4-dev^! / .
commit3e9410898d2687d7df3bdb03c6830d3ec428c2c6[log] [tgz]
authorSen Jiang <senj@google.com>Wed Sep 19 14:29:44 2018 -0700
committerSen Jiang <senj@google.com>Thu Sep 20 01:27:47 2018 +0000
tree2e832fa33f6249e11659f1eeae0255fe37fc8b56
parentda851450dfc625719754af022c38f91a97838c93 [diff]
Check metadata size in payload. Detect overflow for unsigned integer addition. Bug: 113118184 Test: manual test with a hand crafted payload Change-Id: I0155de49c241c392fb74f3d830ceebdb4174f872 (cherry picked from commit 08769f9c05199f96b257eded926975fd83c6edbf) 
diff --git a/payload_consumer/payload_metadata.cc b/payload_consumer/payload_metadata.cc index fe2df0a..6b8d448 100644 --- a/payload_consumer/payload_metadata.cc +++ b/payload_consumer/payload_metadata.cc 
@@ -109,6 +109,13 @@  kDeltaManifestSizeSize);  manifest_size_ = be64toh(manifest_size_); // switch big endian to host   + metadata_size_ = manifest_offset + manifest_size_; + if (metadata_size_ < manifest_size_) { + // Overflow detected. + *error = ErrorCode::kDownloadInvalidMetadataSize; + return MetadataParseResult::kError; + } +  if (GetMajorVersion() == kBrilloMajorPayloadVersion) {  // Parse the metadata signature size.  static_assert( @@ -123,8 +130,13 @@  &payload[metadata_signature_size_offset],  kDeltaMetadataSignatureSizeSize);  metadata_signature_size_ = be32toh(metadata_signature_size_); + + if (metadata_size_ + metadata_signature_size_ < metadata_size_) { + // Overflow detected. + *error = ErrorCode::kDownloadInvalidMetadataSize; + return MetadataParseResult::kError; + }  } - metadata_size_ = manifest_offset + manifest_size_;  return MetadataParseResult::kSuccess;  }   
diff --git a/update_attempter_android.cc b/update_attempter_android.cc index 04ccb18..406e40a 100644 --- a/update_attempter_android.cc +++ b/update_attempter_android.cc 
@@ -357,14 +357,17 @@  "Failed to parse payload header: " +  utils::ErrorCodeToString(errorcode));  } - metadata.resize(payload_metadata.GetMetadataSize() + - payload_metadata.GetMetadataSignatureSize()); - if (metadata.size() < kMaxPayloadHeaderSize) { + uint64_t metadata_size = payload_metadata.GetMetadataSize() + + payload_metadata.GetMetadataSignatureSize(); + if (metadata_size < kMaxPayloadHeaderSize || + metadata_size > + static_cast<uint64_t>(utils::FileSize(metadata_filename))) {  return LogAndSetError(  error,  FROM_HERE, - "Metadata size too small: " + std::to_string(metadata.size())); + "Invalid metadata size: " + std::to_string(metadata_size));  } + metadata.resize(metadata_size);  if (!fd->Read(metadata.data() + kMaxPayloadHeaderSize,  metadata.size() - kMaxPayloadHeaderSize)) {  return LogAndSetError(