commit d468101f149e30bc4ec5105555973d4ed8b4e009
author Edwin Wong <edwinwong@google.com> Tue Feb 02 10:04:02 2021 -0800
committer Edwin Wong <edwinwong@google.com> Tue Feb 02 23:48:11 2021 -0800
tree 675788b10987a0874fe2c0ba13c49742c60fbff6
parent 072cdf233c02d1dc3eb8b2e20498675aea70c21d

[RESTRICT AUTOMERGE] Fix potential decrypt destPtr overflow.

There is a potential integer overflow to bypass the
destination base size check in decrypt. The destPtr
can then point to the outside of the destination buffer.

Test: sts-tradefed
  sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176444622#testPocBug_176444622

Test: push to device with target_hwasan-userdebug build
  adb shell /data/local/tmp/Bug-17644462264

Bug: 176444622
Bug: 176496353
Change-Id: I75ae057793a4ff4e4f52a8577bef189ad842fb0e

drm/1.0/default/CryptoPlugin.cpp

diff --git a/drm/1.0/default/CryptoPlugin.cpp b/drm/1.0/default/CryptoPlugin.cpp
index 2a85f0e..4ab9029 100644
--- a/drm/1.0/default/CryptoPlugin.cpp
+++ b/drm/1.0/default/CryptoPlugin.cpp
@@ -80,7 +80,7 @@
             }
         }
 
-        android::CryptoPlugin::Mode legacyMode;
+        android::CryptoPlugin::Mode legacyMode = android::CryptoPlugin::kMode_Unencrypted;
         switch(mode) {
         case Mode::UNENCRYPTED:
             legacyMode = android::CryptoPlugin::kMode_Unencrypted;
@@ -149,7 +149,10 @@
                 return Void();
             }
 
-            if (destBuffer.offset + destBuffer.size > destBase->getSize()) {
+            size_t totalDstSize = 0;
+            if (__builtin_add_overflow(destBuffer.offset, destBuffer.size, &totalDstSize) ||
+                totalDstSize > destBase->getSize()) {
+                android_errorWriteLog(0x534e4554, "176496353");
                 _hidl_cb(Status::ERROR_DRM_CANNOT_HANDLE, 0, "invalid buffer size");
                 return Void();
             }