Unconditionally save checkpoints when force = true am: 3265b317b3 am: bfb78c318e am: 730e76cf93
Original change: https://android-review.googlesource.com/c/platform/system/update_engine/+/1532419
MUST ONLY BE SUBMITTED BY AUTOMERGER
Change-Id: Ic9644987e9f446cf70787cd5a66368037e0721e6
diff --git a/payload_consumer/delta_performer.cc b/payload_consumer/delta_performer.cc
index 5b41485..a9461ac 100644
--- a/payload_consumer/delta_performer.cc
+++ b/payload_consumer/delta_performer.cc
@@ -520,27 +520,24 @@
if (!CanPerformInstallOperation(op))
return true;
- // Validate the operation only if the metadata signature is present.
- // Otherwise, keep the old behavior. This serves as a knob to disable
- // the validation logic in case we find some regression after rollout.
- // NOTE: If hash checks are mandatory and if metadata_signature is empty,
- // we would have already failed in ParsePayloadMetadata method and thus not
- // even be here. So no need to handle that case again here.
- if (!payload_->metadata_signature.empty()) {
- // Note: Validate must be called only if CanPerformInstallOperation is
- // called. Otherwise, we might be failing operations before even if there
- // isn't sufficient data to compute the proper hash.
- *error = ValidateOperationHash(op);
- if (*error != ErrorCode::kSuccess) {
- if (install_plan_->hash_checks_mandatory) {
- LOG(ERROR) << "Mandatory operation hash check failed";
- return false;
- }
-
- // For non-mandatory cases, just send a UMA stat.
- LOG(WARNING) << "Ignoring operation validation errors";
- *error = ErrorCode::kSuccess;
+ // Validate the operation unconditionally. This helps prevent the
+ // exploitation of vulnerabilities in the patching libraries, e.g. bspatch.
+ // The hash of the patch data for a given operation is embedded in the
+ // payload metadata; and thus has been verified against the public key on
+ // device.
+ // Note: Validate must be called only if CanPerformInstallOperation is
+ // called. Otherwise, we might be failing operations before even if there
+ // isn't sufficient data to compute the proper hash.
+ *error = ValidateOperationHash(op);
+ if (*error != ErrorCode::kSuccess) {
+ if (install_plan_->hash_checks_mandatory) {
+ LOG(ERROR) << "Mandatory operation hash check failed";
+ return false;
}
+
+ // For non-mandatory cases, just send a UMA stat.
+ LOG(WARNING) << "Ignoring operation validation errors";
+ *error = ErrorCode::kSuccess;
}
// Makes sure we unblock exit when this operation completes.
diff --git a/scripts/brillo_update_payload b/scripts/brillo_update_payload
index 1e729bd..e50618f 100755
--- a/scripts/brillo_update_payload
+++ b/scripts/brillo_update_payload
@@ -89,12 +89,14 @@
exit 1
}
-# Loads shflags. We first look at the default install location; then look for
-# crosutils (chroot); finally check our own directory.
+# Loads shflags. We first look at the default install location; then our own
+# directory; finally the parent directory.
load_shflags() {
local my_dir="$(dirname "$(readlink -f "$0")")"
local path
- for path in /usr/share/misc "${my_dir}"/lib/shflags; do
+ for path in /usr/share/misc \
+ "${my_dir}"/lib/shflags \
+ "${my_dir}"/../lib/shflags; do
if [[ -r "${path}/shflags" ]]; then
. "${path}/shflags" || die "Could not load ${path}/shflags."
return