Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_update_engine / 6939b05e2b8a16995e15f4ec0c4139db2ac1d7ba^2..6939b05e2b8a16995e15f4ec0c4139db2ac1d7ba / .
commit6939b05e2b8a16995e15f4ec0c4139db2ac1d7ba[log] [tgz]
authorKelvin Zhang <zhangkelvin@google.com>Fri Oct 23 22:05:38 2020 +0000
committerAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>Fri Oct 23 22:05:38 2020 +0000
treef2dba89e6011c6fc08773a69908764a27585a04a
parent4de1f85c70d2269366472e653a9e26b80c404677 [diff]
parent442a9e831debab8101a1584292f3081d5e207a3d [diff]
Add CowWriter interface methods to DynamicPartiitonControl am: 34618521d4 am: c3b2a47a90 am: ded3ebdf8b am: 442a9e831d

Original change: https://android-review.googlesource.com/c/platform/system/update_engine/+/1441292

Change-Id: I2b52d2a95ec0f5ab123d1c0ff8b694de8fba50b8

diff --git a/payload_consumer/delta_performer.cc b/payload_consumer/delta_performer.cc
index e7ef8a3..ea00b01 100644
--- a/payload_consumer/delta_performer.cc
+++ b/payload_consumer/delta_performer.cc

@@ -520,27 +520,24 @@
     if (!CanPerformInstallOperation(op))
       return true;
 
-    // Validate the operation only if the metadata signature is present.
-    // Otherwise, keep the old behavior. This serves as a knob to disable
-    // the validation logic in case we find some regression after rollout.
-    // NOTE: If hash checks are mandatory and if metadata_signature is empty,
-    // we would have already failed in ParsePayloadMetadata method and thus not
-    // even be here. So no need to handle that case again here.
-    if (!payload_->metadata_signature.empty()) {
-      // Note: Validate must be called only if CanPerformInstallOperation is
-      // called. Otherwise, we might be failing operations before even if there
-      // isn't sufficient data to compute the proper hash.
-      *error = ValidateOperationHash(op);
-      if (*error != ErrorCode::kSuccess) {
-        if (install_plan_->hash_checks_mandatory) {
-          LOG(ERROR) << "Mandatory operation hash check failed";
-          return false;
-        }
-
-        // For non-mandatory cases, just send a UMA stat.
-        LOG(WARNING) << "Ignoring operation validation errors";
-        *error = ErrorCode::kSuccess;
+    // Validate the operation unconditionally. This helps prevent the
+    // exploitation of vulnerabilities in the patching libraries, e.g. bspatch.
+    // The hash of the patch data for a given operation is embedded in the
+    // payload metadata; and thus has been verified against the public key on
+    // device.
+    // Note: Validate must be called only if CanPerformInstallOperation is
+    // called. Otherwise, we might be failing operations before even if there
+    // isn't sufficient data to compute the proper hash.
+    *error = ValidateOperationHash(op);
+    if (*error != ErrorCode::kSuccess) {
+      if (install_plan_->hash_checks_mandatory) {
+        LOG(ERROR) << "Mandatory operation hash check failed";
+        return false;
       }
+
+      // For non-mandatory cases, just send a UMA stat.
+      LOG(WARNING) << "Ignoring operation validation errors";
+      *error = ErrorCode::kSuccess;
     }
 
     // Makes sure we unblock exit when this operation completes.