diff options
| author | y <rtmitchell@google.com> | 2018-04-05 17:57:27 -0700 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2018-07-20 00:17:33 +0000 |
| commit | b193293264ce8b5ead72077956d5bac83ba9a8f7 (patch) | |
| tree | 695361ed6494478e14bcaf79458393fe8bb1f029 | |
| parent | 89e6073892432152d27023e8713ef727f1b35d27 (diff) | |
| download | base-b193293264ce8b5ead72077956d5bac83ba9a8f7.tar.gz | |
ResStringPool: Fix security vulnerability
Adds detection of attacker-modified size and data fields passed to
ResStringPool::setTo(). These attacks are modified apks that AAPT would
not normally generate. In the rare case this occurs, the installation
cannot be allowed to continue.
Bug: 71361168
Bug: 71360999
Test: run cts -m CtsAppSecurityHostTestCases \
-t android.appsecurity.cts.CorruptApkTests
Change-Id: If7eb93a9e723b16c8a0556fc4e20006aa0391d57
Merged-In: If7eb93a9e723b16c8a0556fc4e20006aa0391d57
(cherry picked from commit 7e54c3f261d81316b75cb734075319108d8bc1d1)
| -rw-r--r-- | libs/androidfw/ResourceTypes.cpp | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/libs/androidfw/ResourceTypes.cpp b/libs/androidfw/ResourceTypes.cpp index 733ffb180b3b..401c7b070188 100644 --- a/libs/androidfw/ResourceTypes.cpp +++ b/libs/androidfw/ResourceTypes.cpp @@ -457,6 +457,22 @@ status_t ResStringPool::setTo(const void* data, size_t size, bool copyData) uninit(); + // The chunk must be at least the size of the string pool header. + if (size < sizeof(ResStringPool_header)) { + LOG_ALWAYS_FATAL("Bad string block: data size %zu is too small to be a string block", size); + return (mError=BAD_TYPE); + } + + // The data is at least as big as a ResChunk_header, so we can safely validate the other + // header fields. + // `data + size` is safe because the source of `size` comes from the kernel/filesystem. + if (validate_chunk(reinterpret_cast<const ResChunk_header*>(data), sizeof(ResStringPool_header), + reinterpret_cast<const uint8_t*>(data) + size, + "ResStringPool_header") != NO_ERROR) { + LOG_ALWAYS_FATAL("Bad string block: malformed block dimensions"); + return (mError=BAD_TYPE); + } + const bool notDeviceEndian = htods(0xf0) != 0xf0; if (copyData || notDeviceEndian) { @@ -468,6 +484,8 @@ status_t ResStringPool::setTo(const void* data, size_t size, bool copyData) data = mOwnedData; } + // The size has been checked, so it is safe to read the data in the ResStringPool_header + // data structure. mHeader = (const ResStringPool_header*)data; if (notDeviceEndian) { |