commit c14f262876818498b3ca77f1d6df9d4fb7e77b1c
author Edwin Wong <edwinwong@google.com> Tue Jan 26 20:29:25 2021 -0800
committer Edwin Wong <edwinwong@google.com> Wed Feb 03 08:41:07 2021 -0800
tree bf41780c72f3a182156dd4f94c5d1fd529064906
parent d1a977b77169f4997c54657136f2698395014eca

Fix potential decrypt src pointer overflow.

There is a potential integer overflow to bypass the
source base size check in decrypt. The source pointer
can then point to the outside of the source buffer,
which could potentially leak arbitrary memory content
to destination pointer.

Test: sts-tradefed
  sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176496160#testPocBug_176496160

Test: push to device with target_hwasan-userdebug build
  adb shell /data/local/tmp/Bug-17649616064

Bug: 176496160
Bug: 176444786
Change-Id: I811a6f60948bde2a72906c2c6172fd7bc5feb6d9

drm/1.0/default/CryptoPlugin.cpp

diff --git a/drm/1.0/default/CryptoPlugin.cpp b/drm/1.0/default/CryptoPlugin.cpp
index 2db3607..e6d4e84 100644
--- a/drm/1.0/default/CryptoPlugin.cpp
+++ b/drm/1.0/default/CryptoPlugin.cpp
@@ -124,7 +124,11 @@
             return Void();
         }
 
-        if (source.offset + offset + source.size > sourceBase->getSize()) {
+        size_t totalSize = 0;
+        if (__builtin_add_overflow(source.offset, offset, &totalSize) ||
+            __builtin_add_overflow(totalSize, source.size, &totalSize) ||
+            totalSize > sourceBase->getSize()) {
+            android_errorWriteLog(0x534e4554, "176496160");
             _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size");
             return Void();
         }