Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_update_engine / 62d319feb406b38d43eeb3291a7f97b8f25bcf59^2..62d319feb406b38d43eeb3291a7f97b8f25bcf59 / .
commit62d319feb406b38d43eeb3291a7f97b8f25bcf59[log] [tgz]
authorKelvin Zhang <zhangkelvin@google.com>Sat Sep 26 15:56:54 2020 +0000
committerAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>Sat Sep 26 15:56:54 2020 +0000
treefb37d18da46af4a777d3a171adf78def6ceba05d
parent1aacc056fdcbec6f1a66679cacb859a38c55a016 [diff]
parent9cf94c693e333517f05291f2f6ef579e501c4436 [diff]
Add FeatureFlag for Virtual AB Compression am: da1b3145df am: be289f6d90 am: 51746ddfe6 am: bca4890101 am: 9cf94c693e

Original change: https://android-review.googlesource.com/c/platform/system/update_engine/+/1437991

Change-Id: I517f9b35b19ed07f4f32b2d7050ea8e0f46846f5

diff --git a/payload_consumer/delta_performer.cc b/payload_consumer/delta_performer.cc
index d9efc30..a766085 100644
--- a/payload_consumer/delta_performer.cc
+++ b/payload_consumer/delta_performer.cc

@@ -672,27 +672,24 @@
     if (!CanPerformInstallOperation(op))
       return true;
 
-    // Validate the operation only if the metadata signature is present.
-    // Otherwise, keep the old behavior. This serves as a knob to disable
-    // the validation logic in case we find some regression after rollout.
-    // NOTE: If hash checks are mandatory and if metadata_signature is empty,
-    // we would have already failed in ParsePayloadMetadata method and thus not
-    // even be here. So no need to handle that case again here.
-    if (!payload_->metadata_signature.empty()) {
-      // Note: Validate must be called only if CanPerformInstallOperation is
-      // called. Otherwise, we might be failing operations before even if there
-      // isn't sufficient data to compute the proper hash.
-      *error = ValidateOperationHash(op);
-      if (*error != ErrorCode::kSuccess) {
-        if (install_plan_->hash_checks_mandatory) {
-          LOG(ERROR) << "Mandatory operation hash check failed";
-          return false;
-        }
-
-        // For non-mandatory cases, just send a UMA stat.
-        LOG(WARNING) << "Ignoring operation validation errors";
-        *error = ErrorCode::kSuccess;
+    // Validate the operation unconditionally. This helps prevent the
+    // exploitation of vulnerabilities in the patching libraries, e.g. bspatch.
+    // The hash of the patch data for a given operation is embedded in the
+    // payload metadata; and thus has been verified against the public key on
+    // device.
+    // Note: Validate must be called only if CanPerformInstallOperation is
+    // called. Otherwise, we might be failing operations before even if there
+    // isn't sufficient data to compute the proper hash.
+    *error = ValidateOperationHash(op);
+    if (*error != ErrorCode::kSuccess) {
+      if (install_plan_->hash_checks_mandatory) {
+        LOG(ERROR) << "Mandatory operation hash check failed";
+        return false;
       }
+
+      // For non-mandatory cases, just send a UMA stat.
+      LOG(WARNING) << "Ignoring operation validation errors";
+      *error = ErrorCode::kSuccess;
     }
 
     // Makes sure we unblock exit when this operation completes.