commit a1077c5d47ef069b9bf920d9f33241eb1b18b31e
author Ellen Arteca <emarteca@google.com> Thu Apr 25 17:25:47 2024 +0000
committer Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Thu Apr 25 17:25:47 2024 +0000
tree 71315bdd0029a04f3018f9302244c6f5801a332d
parent 284f4ffb1f8fd8a2e5ab10b586bbab53ac714762
parent 4857d7011dead69039771c5b05807615e859fa1c

Merge "Mitigate LSKF leaks in RecoverableKeyStoreManager" into main am: 4857d7011d

Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/3057483

Change-Id: I844a1c7fdaa80eab5fa53a7bf7f30605a1dc008a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java

diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java
index e5807e8..54303c0 100644
--- a/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java
+++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java
@@ -1082,7 +1082,8 @@
             int keyguardCredentialsType = lockPatternUtilsToKeyguardType(savedCredentialType);
             try (LockscreenCredential credential =
                     createLockscreenCredential(keyguardCredentialsType, decryptedCredentials)) {
-                // TODO(b/254335492): remove decryptedCredentials
+                Arrays.fill(decryptedCredentials, (byte) 0);
+                decryptedCredentials = null;
                 VerifyCredentialResponse verifyResponse =
                         lockSettingsService.verifyCredential(credential, userId, 0);
                 return handleVerifyCredentialResponse(verifyResponse, userId);