commit 3a7dc26624a526b3efc278877002c69d4d55b86f
author Andrew <andrewlassalle@chromium.org> Thu Dec 19 11:38:08 2019 -0800
committer Commit Bot <commit-bot@chromium.org> Tue Jan 07 02:36:40 2020 +0000
tree 6f063adc5d5d2b47696bc6c5d5edd92c8dc9f0da
parent 766135abfb530609614295c90899fd6be335c687

update_engine: Check metadata and signature sizes

Check that the size of the metadata size and signature sizes are
smaller that the payload size. Without this check, the delta
performer writes X number of bytes to the buffer before validating
these values, and an attacker could provide a huge value which will
make update_engine crash.

BUG=chromium:1027166
TEST=fuzzer, unittest, install/unistall DLC on DUT
TEST=test_that -b $BOARD $IP autoupdate_EOL

Change-Id: Iad3a314efacbb1005fac37dd383a3f8852008f4b
Reviewed-on: https://chromium-review.googlesource.com/c/aosp/platform/system/update_engine/+/1976079
Commit-Queue: Andrew Lassalle <andrewlassalle@chromium.org>
Tested-by: Andrew Lassalle <andrewlassalle@chromium.org>
Reviewed-by: Amin Hassani <ahassani@chromium.org>
Auto-Submit: Andrew Lassalle <andrewlassalle@chromium.org>

payload_consumer/payload_metadata.cc

diff --git a/payload_consumer/payload_metadata.cc b/payload_consumer/payload_metadata.cc
index 4d8ee7b..b83001a 100644
--- a/payload_consumer/payload_metadata.cc
+++ b/payload_consumer/payload_metadata.cc
@@ -92,6 +92,7 @@
   metadata_size_ = manifest_offset + manifest_size_;
   if (metadata_size_ < manifest_size_) {
     // Overflow detected.
+    LOG(ERROR) << "Overflow detected on manifest size.";
     *error = ErrorCode::kDownloadInvalidMetadataSize;
     return MetadataParseResult::kError;
   }
@@ -108,6 +109,7 @@
 
   if (metadata_size_ + metadata_signature_size_ < metadata_size_) {
     // Overflow detected.
+    LOG(ERROR) << "Overflow detected on metadata and signature size.";
     *error = ErrorCode::kDownloadInvalidMetadataSize;
     return MetadataParseResult::kError;
   }