From f69e6a9475983b2ad46729e44ab58d2b22cd74d0 Mon Sep 17 00:00:00 2001 From: Tianjie Xu Date: Fri, 16 Dec 2016 14:27:55 -0800 Subject: Add a checker for signature boundary in verifier The 'signature_start' variable marks the location of the signature from the end of a zip archive. And a boundary check is missing where 'signature_start' should be within the EOCD comment field. This causes problems when sideloading a malicious package. Also add a corresponding test. Bug: 31914369 Test: Verification fails correctly when sideloading recovery_test.zip on angler. Change-Id: I6ea96bf04dac5d8d4d6719e678d504f957b4d5c1 --- tests/component/verifier_test.cpp | 3 ++- tests/testdata/signature-boundary.zip | Bin 0 -> 22 bytes verifier.cpp | 6 ++++++ 3 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 tests/testdata/signature-boundary.zip diff --git a/tests/component/verifier_test.cpp b/tests/component/verifier_test.cpp index 33aadb3fb..8d8b461cb 100644 --- a/tests/component/verifier_test.cpp +++ b/tests/component/verifier_test.cpp @@ -155,4 +155,5 @@ INSTANTIATE_TEST_CASE_P(BadPackage, VerifierFailureTest, std::vector({"random.zip", "v1"}), std::vector({"fake-eocd.zip", "v1"}), std::vector({"alter-metadata.zip", "v1"}), - std::vector({"alter-footer.zip", "v1"}))); + std::vector({"alter-footer.zip", "v1"}), + std::vector({"signature-boundary.zip", "v1"}))); diff --git a/tests/testdata/signature-boundary.zip b/tests/testdata/signature-boundary.zip new file mode 100644 index 000000000..64a3cfa15 Binary files /dev/null and b/tests/testdata/signature-boundary.zip differ diff --git a/verifier.cpp b/verifier.cpp index 44098f70e..82454867b 100644 --- a/verifier.cpp +++ b/verifier.cpp @@ -147,6 +147,12 @@ int verify_file(unsigned char* addr, size_t length, LOG(INFO) << "comment is " << comment_size << " bytes; signature is " << signature_start << " bytes from end"; + if (signature_start > comment_size) { + LOG(ERROR) << "signature start: " << signature_start << " is larger than comment size: " + << comment_size; + return VERIFY_FAILURE; + } + if (signature_start <= FOOTER_SIZE) { LOG(ERROR) << "Signature start is in the footer"; return VERIFY_FAILURE; -- cgit v1.2.3