aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTianjie Xu2016-12-16 18:24:09 -0600
committerTianjie Xu2016-12-16 18:24:09 -0600
commit54ea136fded56810bf475885eb4bd7bf1b11f09c (patch)
treefe5e271c356a3a6eea24e86bbecd620d87b032e7 /verifier.cpp
parent36acff7d7e88549bbeab6a08488ab48596d7fbc5 (diff)
downloadplatform-bootable-recovery-54ea136fded56810bf475885eb4bd7bf1b11f09c.tar.gz
platform-bootable-recovery-54ea136fded56810bf475885eb4bd7bf1b11f09c.tar.xz
platform-bootable-recovery-54ea136fded56810bf475885eb4bd7bf1b11f09c.zip
Add a checker for signature boundary in verifier
The 'signature_start' variable marks the location of the signature from the end of a zip archive. And a boundary check is missing where 'signature_start' should be within the EOCD comment field. This causes problems when sideloading a malicious package. Also add a corresponding test. Bug: 31914369 Test: Verification fails correctly when sideloading recovery_test.zip on angler. Change-Id: I6ea96bf04dac5d8d4d6719e678d504f957b4d5c1 (cherry-picked from f69e6a9475983b2ad46729e44ab58d2b22cd74d0)
Diffstat (limited to 'verifier.cpp')
-rw-r--r--verifier.cpp6
1 files changed, 6 insertions, 0 deletions
diff --git a/verifier.cpp b/verifier.cpp
index eeff95a5..3d4f603a 100644
--- a/verifier.cpp
+++ b/verifier.cpp
@@ -143,6 +143,12 @@ int verify_file(unsigned char* addr, size_t length,
143 LOGI("comment is %zu bytes; signature %zu bytes from end\n", 143 LOGI("comment is %zu bytes; signature %zu bytes from end\n",
144 comment_size, signature_start); 144 comment_size, signature_start);
145 145
146 if (signature_start > comment_size) {
147 LOGE("signature start: %zu is larger than comment size: %zu\n", signature_start,
148 comment_size);
149 return VERIFY_FAILURE;
150 }
151
146 if (signature_start <= FOOTER_SIZE) { 152 if (signature_start <= FOOTER_SIZE) {
147 LOGE("Signature start is in the footer"); 153 LOGE("Signature start is in the footer");
148 return VERIFY_FAILURE; 154 return VERIFY_FAILURE;