Merge "Merge remote-tracking branch 'remotes/aosp/upstream-master' into merge-cros" am: 336c2123e8 am: 16647c9f05 am: 9a43fe2f94 am: 239ed11ed5
Original change: https://android-review.googlesource.com/c/platform/system/update_engine/+/1479157
Change-Id: I07f160030e605290071278f317fa61233e007545
diff --git a/payload_consumer/delta_performer.cc b/payload_consumer/delta_performer.cc
index a3989d6..26586f7 100644
--- a/payload_consumer/delta_performer.cc
+++ b/payload_consumer/delta_performer.cc
@@ -511,27 +511,24 @@
if (!CanPerformInstallOperation(op))
return true;
- // Validate the operation only if the metadata signature is present.
- // Otherwise, keep the old behavior. This serves as a knob to disable
- // the validation logic in case we find some regression after rollout.
- // NOTE: If hash checks are mandatory and if metadata_signature is empty,
- // we would have already failed in ParsePayloadMetadata method and thus not
- // even be here. So no need to handle that case again here.
- if (!payload_->metadata_signature.empty()) {
- // Note: Validate must be called only if CanPerformInstallOperation is
- // called. Otherwise, we might be failing operations before even if there
- // isn't sufficient data to compute the proper hash.
- *error = ValidateOperationHash(op);
- if (*error != ErrorCode::kSuccess) {
- if (install_plan_->hash_checks_mandatory) {
- LOG(ERROR) << "Mandatory operation hash check failed";
- return false;
- }
-
- // For non-mandatory cases, just send a UMA stat.
- LOG(WARNING) << "Ignoring operation validation errors";
- *error = ErrorCode::kSuccess;
+ // Validate the operation unconditionally. This helps prevent the
+ // exploitation of vulnerabilities in the patching libraries, e.g. bspatch.
+ // The hash of the patch data for a given operation is embedded in the
+ // payload metadata; and thus has been verified against the public key on
+ // device.
+ // Note: Validate must be called only if CanPerformInstallOperation is
+ // called. Otherwise, we might be failing operations before even if there
+ // isn't sufficient data to compute the proper hash.
+ *error = ValidateOperationHash(op);
+ if (*error != ErrorCode::kSuccess) {
+ if (install_plan_->hash_checks_mandatory) {
+ LOG(ERROR) << "Mandatory operation hash check failed";
+ return false;
}
+
+ // For non-mandatory cases, just send a UMA stat.
+ LOG(WARNING) << "Ignoring operation validation errors";
+ *error = ErrorCode::kSuccess;
}
// Makes sure we unblock exit when this operation completes.
diff --git a/scripts/brillo_update_payload b/scripts/brillo_update_payload
index 3bc87bd..77d372c 100755
--- a/scripts/brillo_update_payload
+++ b/scripts/brillo_update_payload
@@ -89,12 +89,14 @@
exit 1
}
-# Loads shflags. We first look at the default install location; then look for
-# crosutils (chroot); finally check our own directory.
+# Loads shflags. We first look at the default install location; then our own
+# directory; finally the parent directory.
load_shflags() {
local my_dir="$(dirname "$(readlink -f "$0")")"
local path
- for path in /usr/share/misc "${my_dir}"/lib/shflags; do
+ for path in /usr/share/misc \
+ "${my_dir}"/lib/shflags \
+ "${my_dir}"/../lib/shflags; do
if [[ -r "${path}/shflags" ]]; then
. "${path}/shflags" || die "Could not load ${path}/shflags."
return