diff options
Diffstat (limited to 'install')
-rw-r--r-- | install/Android.bp | 50 | ||||
-rw-r--r-- | install/include/install/spl_check.h | 26 | ||||
-rw-r--r-- | install/install.cpp | 49 | ||||
-rw-r--r-- | install/snapshot_utils.cpp | 4 | ||||
-rw-r--r-- | install/spl_check.cpp | 78 | ||||
-rw-r--r-- | install/spl_check_unittests.cpp | 45 | ||||
-rw-r--r-- | install/verifier.cpp | 8 | ||||
-rw-r--r-- | install/wipe_data.cpp | 8 | ||||
-rw-r--r-- | install/wipe_device.cpp | 9 |
9 files changed, 261 insertions, 16 deletions
diff --git a/install/Android.bp b/install/Android.bp index bed3bc504..e239ddc4e 100644 --- a/install/Android.bp +++ b/install/Android.bp @@ -12,11 +12,21 @@ // See the License for the specific language governing permissions and // limitations under the License. +package { + // See: http://go/android-license-faq + // A large-scale-change added 'default_applicable_licenses' to import + // all of the 'license_kinds' from "bootable_recovery_license" + // to get the below license kinds: + // SPDX-license-identifier-Apache-2.0 + default_applicable_licenses: ["bootable_recovery_license"], +} + cc_defaults { name: "libinstall_defaults", defaults: [ "recovery_defaults", + "libspl_check_defaults", ], shared_libs: [ @@ -40,12 +50,51 @@ cc_defaults { "librecovery_utils", "libotautil", "libsnapshot_nobinder", + "ota_metadata_proto_cc", // external dependencies "libvintf", ], } +cc_test_host { + name: "libinstall_host_unittests", + defaults: [ + "libspl_check_defaults" + ], + srcs: [ + "spl_check_unittests.cpp", + ], + static_libs: [ + "libspl_check", + ], +} + +cc_defaults { + name: "libspl_check_defaults", + static_libs: [ + "libbase", + "ota_metadata_proto_cc", + "liblog", + "libziparchive", + "libz", + "libprotobuf-cpp-lite", + ], +} + +cc_library_static { + name: "libspl_check", + recovery_available: true, + host_supported: true, + defaults: [ + "libspl_check_defaults", + ], + srcs: ["spl_check.cpp"], + export_include_dirs: [ + "include", + ], +} + cc_library_static { name: "libinstall", recovery_available: true, @@ -64,6 +113,7 @@ cc_library_static { "verifier.cpp", "wipe_data.cpp", "wipe_device.cpp", + "spl_check.cpp", ], header_libs: [ diff --git a/install/include/install/spl_check.h b/install/include/install/spl_check.h new file mode 100644 index 000000000..e0bfc62c7 --- /dev/null +++ b/install/include/install/spl_check.h @@ -0,0 +1,26 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <string_view> + +#include <android-base/logging.h> +#include <ota_metadata.pb.h> +#include <ziparchive/zip_archive.h> + +bool ViolatesSPLDowngrade(const build::tools::releasetools::OtaMetadata& metadata, + std::string_view current_spl); + +bool ViolatesSPLDowngrade(ZipArchiveHandle zip, std::string_view current_spl); diff --git a/install/install.cpp b/install/install.cpp index d404997dc..6e74f80ab 100644 --- a/install/install.cpp +++ b/install/install.cpp @@ -47,6 +47,7 @@ #include <android-base/unique_fd.h> #include "install/package.h" +#include "install/spl_check.h" #include "install/verifier.h" #include "install/wipe_data.h" #include "otautil/error_code.h" @@ -67,14 +68,17 @@ static_assert(kRecoveryApiVersion == RECOVERY_API_VERSION, "Mismatching recovery // Default allocation of progress bar segments to operations static constexpr int VERIFICATION_PROGRESS_TIME = 60; static constexpr float VERIFICATION_PROGRESS_FRACTION = 0.25; - +// The charater used to separate dynamic fingerprints. e.x. sargo|aosp-sargo +static const char* FINGERPRING_SEPARATOR = "|"; static std::condition_variable finish_log_temperature; +static bool isInStringList(const std::string& target_token, const std::string& str_list, + const std::string& deliminator); bool ReadMetadataFromPackage(ZipArchiveHandle zip, std::map<std::string, std::string>* metadata) { CHECK(metadata != nullptr); static constexpr const char* METADATA_PATH = "META-INF/com/android/metadata"; - ZipEntry entry; + ZipEntry64 entry; if (FindEntry(zip, METADATA_PATH, &entry) != 0) { LOG(ERROR) << "Failed to find " << METADATA_PATH; return false; @@ -151,7 +155,8 @@ static bool CheckAbSpecificMetadata(const std::map<std::string, std::string>& me auto device_fingerprint = android::base::GetProperty("ro.build.fingerprint", ""); auto pkg_pre_build_fingerprint = get_value(metadata, "pre-build"); - if (!pkg_pre_build_fingerprint.empty() && pkg_pre_build_fingerprint != device_fingerprint) { + if (!pkg_pre_build_fingerprint.empty() && + !isInStringList(device_fingerprint, pkg_pre_build_fingerprint, FINGERPRING_SEPARATOR)) { LOG(ERROR) << "Package is for source build " << pkg_pre_build_fingerprint << " but expected " << device_fingerprint; return false; @@ -199,7 +204,8 @@ bool CheckPackageMetadata(const std::map<std::string, std::string>& metadata, Ot auto device = android::base::GetProperty("ro.product.device", ""); auto pkg_device = get_value(metadata, "pre-device"); - if (pkg_device != device || pkg_device.empty()) { + // device name can be a | separated list, so need to check + if (pkg_device.empty() || !isInStringList(device, pkg_device, FINGERPRING_SEPARATOR)) { LOG(ERROR) << "Package is for product " << pkg_device << " but expected " << device; return false; } @@ -236,12 +242,18 @@ bool SetUpAbUpdateCommands(const std::string& package, ZipArchiveHandle zip, int // For A/B updates we extract the payload properties to a buffer and obtain the RAW payload offset // in the zip file. static constexpr const char* AB_OTA_PAYLOAD_PROPERTIES = "payload_properties.txt"; - ZipEntry properties_entry; + ZipEntry64 properties_entry; if (FindEntry(zip, AB_OTA_PAYLOAD_PROPERTIES, &properties_entry) != 0) { LOG(ERROR) << "Failed to find " << AB_OTA_PAYLOAD_PROPERTIES; return false; } - uint32_t properties_entry_length = properties_entry.uncompressed_length; + auto properties_entry_length = properties_entry.uncompressed_length; + if (properties_entry_length > std::numeric_limits<size_t>::max()) { + LOG(ERROR) << "Failed to extract " << AB_OTA_PAYLOAD_PROPERTIES + << " because's uncompressed size exceeds size of address space. " + << properties_entry_length; + return false; + } std::vector<uint8_t> payload_properties(properties_entry_length); int32_t err = ExtractToMemory(zip, &properties_entry, payload_properties.data(), properties_entry_length); @@ -251,7 +263,7 @@ bool SetUpAbUpdateCommands(const std::string& package, ZipArchiveHandle zip, int } static constexpr const char* AB_OTA_PAYLOAD = "payload.bin"; - ZipEntry payload_entry; + ZipEntry64 payload_entry; if (FindEntry(zip, AB_OTA_PAYLOAD, &payload_entry) != 0) { LOG(ERROR) << "Failed to find " << AB_OTA_PAYLOAD; return false; @@ -273,7 +285,7 @@ bool SetUpNonAbUpdateCommands(const std::string& package, ZipArchiveHandle zip, // In non-A/B updates we extract the update binary from the package. static constexpr const char* UPDATE_BINARY_NAME = "META-INF/com/google/android/update-binary"; - ZipEntry binary_entry; + ZipEntry64 binary_entry; if (FindEntry(zip, UPDATE_BINARY_NAME, &binary_entry) != 0) { LOG(ERROR) << "Failed to find update binary " << UPDATE_BINARY_NAME; return false; @@ -337,6 +349,12 @@ static InstallResult TryUpdateBinary(Package* package, bool* wipe_cache, android::base::GetBoolProperty("ro.virtual_ab.allow_non_ab", false); bool device_only_supports_ab = device_supports_ab && !ab_device_supports_nonab; + const auto current_spl = android::base::GetProperty("ro.build.version.security_patch", ""); + if (ViolatesSPLDowngrade(zip, current_spl)) { + LOG(ERROR) << "Denying OTA because it's SPL downgrade"; + return INSTALL_ERROR; + } + if (package_is_ab) { CHECK(package->GetType() == PackageType::kFile); } @@ -699,3 +717,18 @@ bool SetupPackageMount(const std::string& package_path, bool* should_use_fuse) { } return true; } + +// Check if `target_token` is in string `str_list`, where `str_list` is expected to be a +// list delimited by `deliminator` +// E.X. isInStringList("a", "a|b|c|d", "|") => true +// E.X. isInStringList("abc", "abc", "|") => true +static bool isInStringList(const std::string& target_token, const std::string& str_list, + const std::string& deliminator) { + if (target_token.length() > str_list.length()) { + return false; + } else if (target_token.length() == str_list.length() || deliminator.length() == 0) { + return target_token == str_list; + } + auto&& list = android::base::Split(str_list, deliminator); + return std::find(list.begin(), list.end(), target_token) != list.end(); +} diff --git a/install/snapshot_utils.cpp b/install/snapshot_utils.cpp index 7235e67c8..336e50f89 100644 --- a/install/snapshot_utils.cpp +++ b/install/snapshot_utils.cpp @@ -32,7 +32,7 @@ bool FinishPendingSnapshotMerges(Device* device) { } RecoveryUI* ui = device->GetUI(); - auto sm = SnapshotManager::NewForFirstStageMount(); + auto sm = SnapshotManager::New(); if (!sm) { ui->Print("Could not create SnapshotManager.\n"); return false; @@ -57,7 +57,7 @@ bool CreateSnapshotPartitions() { return true; } - auto sm = SnapshotManager::NewForFirstStageMount(); + auto sm = SnapshotManager::New(); if (!sm) { // SnapshotManager could not be created. The device is still in a // consistent state and can continue with the mounting of the existing diff --git a/install/spl_check.cpp b/install/spl_check.cpp new file mode 100644 index 000000000..c26ab82f6 --- /dev/null +++ b/install/spl_check.cpp @@ -0,0 +1,78 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "install/spl_check.h" + +bool ViolatesSPLDowngrade(const build::tools::releasetools::OtaMetadata& metadata, + std::string_view current_spl) { + const auto& post_spl = metadata.postcondition().security_patch_level(); + if (current_spl.empty()) { + LOG(WARNING) << "Failed to get device's current security patch level. Target SPL is " + << post_spl << " permitting OTA install"; + return false; + } + // SPL(security patch level) is expected to be in format yyyy-mm-dd, e.g. 2018-05-29. Given this + // specific format, comparing two SPL can be done by just regular string comparison. If the format + // must lay out year/month/date in the exact order, and must properly prepend dates with 0(for + // example, 05 for May). Otherwise this comparison doesn't work. We don't expect SPL date formats + // to change, leave this as is. + if (post_spl < current_spl) { + LOG(ERROR) << "Current SPL: " << current_spl << " Target SPL: " << post_spl + << " this is considered a downgrade"; + if (metadata.spl_downgrade() || metadata.downgrade()) { + LOG(WARNING) + << "SPL downgrade detected, but OTA package explicitly permitts this(OtaMetadata has " + "spl_downgrade / downgrade bit set).Permitting update anyway.Installing a SPL " + "downgrade OTA can cause /data fail to decrypt and device fails to boot."; + return false; + } + return true; + } else { + LOG(INFO) << "old spl: " << current_spl << " new spl: " << post_spl << " CHECK passes"; + } + return false; +} + +bool ViolatesSPLDowngrade(ZipArchiveHandle zip, std::string_view current_spl) { + static constexpr auto&& OTA_OTA_METADATA = "META-INF/com/android/metadata.pb"; + ZipEntry64 metadata_entry; + if (FindEntry(zip, OTA_OTA_METADATA, &metadata_entry) != 0) { + LOG(WARNING) << "Failed to find " << OTA_OTA_METADATA + << " treating this as non-spl-downgrade, permit OTA install. If device bricks " + "after installing, check kernel log to see if /data failed to decrypt"; + return false; + } + const auto metadata_entry_length = metadata_entry.uncompressed_length; + if (metadata_entry_length > std::numeric_limits<size_t>::max()) { + LOG(ERROR) << "Failed to extract " << OTA_OTA_METADATA + << " because's uncompressed size exceeds size of address space. " + << metadata_entry_length; + return false; + } + std::vector<uint8_t> ota_metadata(metadata_entry_length); + int32_t err = ExtractToMemory(zip, &metadata_entry, ota_metadata.data(), metadata_entry_length); + if (err != 0) { + LOG(ERROR) << "Failed to extract " << OTA_OTA_METADATA << ": " << ErrorCodeString(err); + return false; + } + using build::tools::releasetools::OtaMetadata; + OtaMetadata metadata; + if (!metadata.ParseFromArray(ota_metadata.data(), ota_metadata.size())) { + LOG(ERROR) << "Failed to parse ota_medata"; + return false; + } + return ViolatesSPLDowngrade(metadata, current_spl); +} diff --git a/install/spl_check_unittests.cpp b/install/spl_check_unittests.cpp new file mode 100644 index 000000000..709b69c9f --- /dev/null +++ b/install/spl_check_unittests.cpp @@ -0,0 +1,45 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <gtest/gtest.h> + +#include "install/spl_check.h" +#include "ota_metadata.pb.h" + +using build::tools::releasetools::OtaMetadata; +class SplCheckUnittest : public ::testing::Test { + public: + OtaMetadata metadata; +}; + +TEST_F(SplCheckUnittest, OlderSPL) { + metadata.set_spl_downgrade(false); + metadata.mutable_postcondition()->set_security_patch_level("2021-04-25"); + ASSERT_TRUE(ViolatesSPLDowngrade(metadata, "2021-05-01")); +} + +TEST_F(SplCheckUnittest, NewerSPL) { + metadata.set_spl_downgrade(false); + metadata.mutable_postcondition()->set_security_patch_level("2021-06-01"); + ASSERT_FALSE(ViolatesSPLDowngrade(metadata, "2021-05-05")); +} + +TEST_F(SplCheckUnittest, OlderSPLPermit) { + // If spl_downgrade is set to true, OTA should be permitted + metadata.set_spl_downgrade(true); + metadata.mutable_postcondition()->set_security_patch_level("2021-04-11"); + ASSERT_FALSE(ViolatesSPLDowngrade(metadata, "2021-05-11")); +}
\ No newline at end of file diff --git a/install/verifier.cpp b/install/verifier.cpp index ab750442d..3f0260138 100644 --- a/install/verifier.cpp +++ b/install/verifier.cpp @@ -321,8 +321,14 @@ static std::vector<Certificate> IterateZipEntriesAndSearchForKeys(const ZipArchi std::vector<Certificate> result; std::string_view name; - ZipEntry entry; + ZipEntry64 entry; while ((iter_status = Next(cookie, &entry, &name)) == 0) { + if (entry.uncompressed_length > std::numeric_limits<size_t>::max()) { + LOG(ERROR) << "Failed to extract " << name + << " because's uncompressed size exceeds size of address space. " + << entry.uncompressed_length; + return {}; + } std::vector<uint8_t> pem_content(entry.uncompressed_length); if (int32_t extract_status = ExtractToMemory(handle, &entry, pem_content.data(), pem_content.size()); diff --git a/install/wipe_data.cpp b/install/wipe_data.cpp index 287208583..4eecf72c6 100644 --- a/install/wipe_data.cpp +++ b/install/wipe_data.cpp @@ -41,9 +41,6 @@ static bool EraseVolume(const char* volume, RecoveryUI* ui, bool convert_fbe) { bool is_cache = (strcmp(volume, CACHE_ROOT) == 0); bool is_data = (strcmp(volume, DATA_ROOT) == 0); - ui->SetBackground(RecoveryUI::ERASING); - ui->SetProgressType(RecoveryUI::INDETERMINATE); - std::vector<saved_log_file> log_files; if (is_cache) { // If we're reformatting /cache, we load any past logs (i.e. "/cache/recovery/last_*") and the @@ -97,6 +94,9 @@ bool WipeCache(RecoveryUI* ui, const std::function<bool()>& confirm_func) { } ui->Print("\n-- Wiping cache...\n"); + ui->SetBackground(RecoveryUI::ERASING); + ui->SetProgressType(RecoveryUI::INDETERMINATE); + bool success = EraseVolume("/cache", ui, false); ui->Print("Cache wipe %s.\n", success ? "complete" : "failed"); return success; @@ -105,6 +105,8 @@ bool WipeCache(RecoveryUI* ui, const std::function<bool()>& confirm_func) { bool WipeData(Device* device, bool convert_fbe) { RecoveryUI* ui = device->GetUI(); ui->Print("\n-- Wiping data...\n"); + ui->SetBackground(RecoveryUI::ERASING); + ui->SetProgressType(RecoveryUI::INDETERMINATE); if (!FinishPendingSnapshotMerges(device)) { ui->Print("Unable to check update status or complete merge, cannot wipe partitions.\n"); diff --git a/install/wipe_device.cpp b/install/wipe_device.cpp index 89d5d31a3..915c87b45 100644 --- a/install/wipe_device.cpp +++ b/install/wipe_device.cpp @@ -49,9 +49,14 @@ std::vector<std::string> GetWipePartitionList(Package* wipe_package) { constexpr char RECOVERY_WIPE_ENTRY_NAME[] = "recovery.wipe"; std::string partition_list_content; - ZipEntry entry; + ZipEntry64 entry; if (FindEntry(zip, RECOVERY_WIPE_ENTRY_NAME, &entry) == 0) { - uint32_t length = entry.uncompressed_length; + auto length = entry.uncompressed_length; + if (length > std::numeric_limits<size_t>::max()) { + LOG(ERROR) << "Failed to extract " << RECOVERY_WIPE_ENTRY_NAME + << " because's uncompressed size exceeds size of address space. " << length; + return {}; + } partition_list_content = std::string(length, '\0'); if (auto err = ExtractToMemory( zip, &entry, reinterpret_cast<uint8_t*>(partition_list_content.data()), length); |