diff options
| author | Linux Build Service Account <lnxbuild@localhost> | 2016-03-01 20:12:29 -0800 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2016-03-01 20:12:29 -0800 |
| commit | 0e66889c35692a4c559769f2b985a4f35b71bfaa (patch) | |
| tree | 2cb5b1494e4dd26f69a0819abb0d29037053c5dd | |
| parent | 85f1c834dda45c687cf91cb808d95e5d19e0f66e (diff) | |
| parent | c2137bdc7f5057a8b296aad978c5a717e887faf9 (diff) | |
Merge "platform: msm_shared: add integer overflow checks"
| -rw-r--r-- | platform/msm_shared/boot_verifier.c | 26 |
1 files changed, 25 insertions, 1 deletions
diff --git a/platform/msm_shared/boot_verifier.c b/platform/msm_shared/boot_verifier.c index 953e8921..285e226f 100644 --- a/platform/msm_shared/boot_verifier.c +++ b/platform/msm_shared/boot_verifier.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2014-2015, The Linux Foundation. All rights reserved. + * Copyright (c) 2014-2016, The Linux Foundation. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are @@ -411,6 +411,18 @@ bool send_rot_command(uint32_t is_unlocked) // Send hash of key from OEM KEYSTORE + Boot device state n = BN_num_bytes(oem_keystore->mykeybag->mykey->key_material->n); e = BN_num_bytes(oem_keystore->mykeybag->mykey->key_material->e); + /*this assumes a valid acceptable range for RSA, including 4096 bits of modulo n. */ + if (n<0 || n>1024) + { + dprintf(CRITICAL, "Invalid n value from key_material\n"); + ASSERT(0); + } + /* e can assumes 3,5,17,257,65537 as valid values, which should be 1 byte long only, we accept 2 bytes or 16 bits long */ + if( e < 0 || e >16) + { + dprintf(CRITICAL, "Invalid e value from key_material\n"); + ASSERT(0); + } len_oem_rsa = n + e; if(!(input = malloc(len_oem_rsa))) { @@ -433,6 +445,18 @@ bool send_rot_command(uint32_t is_unlocked) // Send hash of key from certificate in boot image + boot device state n = BN_num_bytes(rsa_from_cert->n); e = BN_num_bytes(rsa_from_cert->e); + /*this assumes a valid acceptable range for RSA, including 4096 bits of modulo n. */ + if (n<0 || n>1024) + { + dprintf(CRITICAL, "Invalid n value from rsa_from_cert\n"); + ASSERT(0); + } + /* e can assumes 3,5,17,257,65537 as valid values, which should be 1 byte long only, we accept 2 bytes or 16 bits long */ + if( e < 0 || e >16) + { + dprintf(CRITICAL, "Invalid e value from rsa_from_cert\n"); + ASSERT(0); + } len_from_cert = n + e; if(!(input = malloc(len_from_cert))) { |