diff options
author | suryaprakash.konduru <suryaprakash.konduru@nxp.com> | 2023-06-21 01:40:17 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2023-06-21 01:40:17 +0000 |
commit | ea6c3c6c627753911cd7e77e2d8dbe4d6fa3ebb1 (patch) | |
tree | 861927fb34d9414294b21521d6db1d85a009db7f | |
parent | 3fa943236c8f1d1081869c257381f9fc04306f28 (diff) | |
parent | d33c74f2114dc7ea0965c5f01b0e37445c6ea125 (diff) | |
download | secure_element-ea6c3c6c627753911cd7e77e2d8dbe4d6fa3ebb1.tar.gz |
Fix for potential oob write and missing boundary check am: 3aa73c4667 am: fcb341cd5e am: a44276bbf9 am: d33c74f211
Original change: https://android-review.googlesource.com/c/platform/hardware/nxp/secure_element/+/2628735
Change-Id: I90841b185df36cf4c8469a5512d59ae17a03b8c2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
-rw-r--r-- | pn8x/1.0/SecureElement.cpp | 12 | ||||
-rwxr-xr-x | pn8x/1.0/SecureElement.h | 5 | ||||
-rw-r--r-- | pn8x/1.1/SecureElement.cpp | 12 | ||||
-rwxr-xr-x | pn8x/1.1/SecureElement.h | 5 | ||||
-rwxr-xr-x | snxxx/1.0/SecureElement.cpp | 15 | ||||
-rw-r--r-- | snxxx/1.0/SecureElement.h | 5 | ||||
-rwxr-xr-x | snxxx/1.1/SecureElement.cpp | 14 | ||||
-rwxr-xr-x | snxxx/1.1/SecureElement.h | 5 | ||||
-rwxr-xr-x | snxxx/1.2/SecureElement.cpp | 14 | ||||
-rwxr-xr-x | snxxx/1.2/SecureElement.h | 5 | ||||
-rw-r--r-- | snxxx/aidl/SecureElement.cpp | 12 | ||||
-rw-r--r-- | snxxx/aidl/SecureElement.h | 3 |
12 files changed, 93 insertions, 14 deletions
diff --git a/pn8x/1.0/SecureElement.cpp b/pn8x/1.0/SecureElement.cpp index 039d872..b2159a6 100644 --- a/pn8x/1.0/SecureElement.cpp +++ b/pn8x/1.0/SecureElement.cpp @@ -1,6 +1,6 @@ /****************************************************************************** * - * Copyright 2018 NXP + * Copyright 2018,2023 NXP * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -125,6 +125,11 @@ Return<void> SecureElement::openLogicalChannel(const hidl_vec<uint8_t>& aid, LogicalChannelResponse resApduBuff; resApduBuff.channelNumber = 0xff; memset(&resApduBuff, 0x00, sizeof(resApduBuff)); + if (aid.size() > MAX_AID_LENGTH) { + ALOGE("%s: AID out of range!!!", __func__); + _hidl_cb(resApduBuff, SecureElementStatus::FAILED); + return Void(); + } if (!isSeInitialized()) { ESESTATUS status = seHalInit(); @@ -254,6 +259,11 @@ Return<void> SecureElement::openBasicChannel(const hidl_vec<uint8_t>& aid, uint8_t p2, openBasicChannel_cb _hidl_cb) { hidl_vec<uint8_t> result; + if (aid.size() > MAX_AID_LENGTH) { + ALOGE("%s: AID out of range!!!", __func__); + _hidl_cb(result, SecureElementStatus::FAILED); + return Void(); + } if (!isSeInitialized()) { ESESTATUS status = seHalInit(); diff --git a/pn8x/1.0/SecureElement.h b/pn8x/1.0/SecureElement.h index 6c314e4..1a72169 100755 --- a/pn8x/1.0/SecureElement.h +++ b/pn8x/1.0/SecureElement.h @@ -1,6 +1,6 @@ /****************************************************************************** * - * Copyright 2018 NXP + * Copyright 2018,2023 NXP * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -47,6 +47,9 @@ using ::android::hidl::base::V1_0::IBase; #ifndef DEFAULT_BASIC_CHANNEL #define DEFAULT_BASIC_CHANNEL 0x00 #endif +#ifndef MAX_AID_LENGTH +#define MAX_AID_LENGTH 0x10 +#endif struct SecureElement : public ISecureElement, public hidl_death_recipient { SecureElement(); diff --git a/pn8x/1.1/SecureElement.cpp b/pn8x/1.1/SecureElement.cpp index e4a05df..c960568 100644 --- a/pn8x/1.1/SecureElement.cpp +++ b/pn8x/1.1/SecureElement.cpp @@ -1,6 +1,6 @@ /****************************************************************************** * - * Copyright 2018 NXP + * Copyright 2018,2023 NXP * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -167,6 +167,11 @@ Return<void> SecureElement::openLogicalChannel(const hidl_vec<uint8_t>& aid, LogicalChannelResponse resApduBuff; resApduBuff.channelNumber = 0xff; memset(&resApduBuff, 0x00, sizeof(resApduBuff)); + if (aid.size() > MAX_AID_LENGTH) { + ALOGE("%s: AID out of range!!!", __func__); + _hidl_cb(resApduBuff, SecureElementStatus::FAILED); + return Void(); + } if (!isSeInitialized()) { ESESTATUS status = seHalInit(); @@ -296,6 +301,11 @@ Return<void> SecureElement::openBasicChannel(const hidl_vec<uint8_t>& aid, uint8_t p2, openBasicChannel_cb _hidl_cb) { hidl_vec<uint8_t> result; + if (aid.size() > MAX_AID_LENGTH) { + ALOGE("%s: AID out of range!!!", __func__); + _hidl_cb(result, SecureElementStatus::FAILED); + return Void(); + } if (!isSeInitialized()) { ESESTATUS status = seHalInit(); diff --git a/pn8x/1.1/SecureElement.h b/pn8x/1.1/SecureElement.h index d36b03f..4c7d278 100755 --- a/pn8x/1.1/SecureElement.h +++ b/pn8x/1.1/SecureElement.h @@ -1,6 +1,6 @@ /****************************************************************************** * - * Copyright 2018 NXP + * Copyright 2018,2023 NXP * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -50,6 +50,9 @@ using ::android::hidl::base::V1_0::IBase; #ifndef DEFAULT_BASIC_CHANNEL #define DEFAULT_BASIC_CHANNEL 0x00 #endif +#ifndef MAX_AID_LENGTH +#define MAX_AID_LENGTH 0x10 +#endif struct SecureElement : public V1_1::ISecureElement, public hidl_death_recipient { diff --git a/snxxx/1.0/SecureElement.cpp b/snxxx/1.0/SecureElement.cpp index 18c5176..021f783 100755 --- a/snxxx/1.0/SecureElement.cpp +++ b/snxxx/1.0/SecureElement.cpp @@ -1,6 +1,6 @@ /****************************************************************************** * - * Copyright 2018-2021 NXP + * Copyright 2018-2021,2023 NXP * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -226,6 +226,11 @@ Return<void> SecureElement::openLogicalChannel(const hidl_vec<uint8_t>& aid, LogicalChannelResponse resApduBuff; resApduBuff.channelNumber = 0xff; memset(&resApduBuff, 0x00, sizeof(resApduBuff)); + if (aid.size() > MAX_AID_LENGTH) { + LOG(ERROR) << "%s: AID out of range!!!" << __func__; + _hidl_cb(resApduBuff, SecureElementStatus::FAILED); + return Void(); + } LOG(INFO) << "Acquired the lock from SPI openLogicalChannel"; @@ -397,10 +402,16 @@ Return<void> SecureElement::openLogicalChannel(const hidl_vec<uint8_t>& aid, Return<void> SecureElement::openBasicChannel(const hidl_vec<uint8_t>& aid, uint8_t p2, openBasicChannel_cb _hidl_cb) { + hidl_vec<uint8_t> result; + if (aid.size() > MAX_AID_LENGTH) { + LOG(ERROR) << "%s: AID out of range!!!" << __func__; + _hidl_cb(result, SecureElementStatus::FAILED); + return Void(); + } + ESESTATUS status = ESESTATUS_SUCCESS; phNxpEse_7816_cpdu_t cpdu; phNxpEse_7816_rpdu_t rpdu; - hidl_vec<uint8_t> result; hidl_vec<uint8_t> ls_aid = {0xA0, 0x00, 0x00, 0x03, 0x96, 0x41, 0x4C, 0x41, 0x01, 0x43, 0x4F, 0x52, 0x01}; diff --git a/snxxx/1.0/SecureElement.h b/snxxx/1.0/SecureElement.h index 44d7e7b..1baf083 100644 --- a/snxxx/1.0/SecureElement.h +++ b/snxxx/1.0/SecureElement.h @@ -1,6 +1,6 @@ /****************************************************************************** * - * Copyright 2018 NXP + * Copyright 2018,2023 NXP * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -72,6 +72,9 @@ using ::android::hidl::base::V1_0::IBase; #ifndef DEFAULT_BASIC_CHANNEL #define DEFAULT_BASIC_CHANNEL 0x00 #endif +#ifndef MAX_AID_LENGTH +#define MAX_AID_LENGTH 0x10 +#endif struct SecureElement : public ISecureElement, public hidl_death_recipient { SecureElement(); diff --git a/snxxx/1.1/SecureElement.cpp b/snxxx/1.1/SecureElement.cpp index dafde01..e261910 100755 --- a/snxxx/1.1/SecureElement.cpp +++ b/snxxx/1.1/SecureElement.cpp @@ -1,6 +1,6 @@ /****************************************************************************** * - * Copyright 2018-2022 NXP + * Copyright 2018-2023 NXP * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -320,6 +320,11 @@ Return<void> SecureElement::openLogicalChannel(const hidl_vec<uint8_t>& aid, LogicalChannelResponse resApduBuff; resApduBuff.channelNumber = 0xff; memset(&resApduBuff, 0x00, sizeof(resApduBuff)); + if (aid.size() > MAX_AID_LENGTH) { + LOG(ERROR) << "%s: AID out of range!!!" << __func__; + _hidl_cb(resApduBuff, SecureElementStatus::FAILED); + return Void(); + } LOG(INFO) << "Acquired the lock from SPI openLogicalChannel"; @@ -483,11 +488,16 @@ Return<void> SecureElement::openLogicalChannel(const hidl_vec<uint8_t>& aid, Return<void> SecureElement::openBasicChannel(const hidl_vec<uint8_t>& aid, uint8_t p2, openBasicChannel_cb _hidl_cb) { + hidl_vec<uint8_t> result; + if (aid.size() > MAX_AID_LENGTH) { + LOG(ERROR) << "%s: AID out of range!!!" << __func__; + _hidl_cb(result, SecureElementStatus::FAILED); + return Void(); + } AutoMutex guard(seHalLock); ESESTATUS status = ESESTATUS_SUCCESS; phNxpEse_7816_cpdu_t cpdu; phNxpEse_7816_rpdu_t rpdu; - hidl_vec<uint8_t> result; hidl_vec<uint8_t> ls_aid = {0xA0, 0x00, 0x00, 0x03, 0x96, 0x41, 0x4C, 0x41, 0x01, 0x43, 0x4F, 0x52, 0x01}; diff --git a/snxxx/1.1/SecureElement.h b/snxxx/1.1/SecureElement.h index 4ed0b8f..1884f67 100755 --- a/snxxx/1.1/SecureElement.h +++ b/snxxx/1.1/SecureElement.h @@ -1,6 +1,6 @@ /****************************************************************************** * - * Copyright 2018-2019 NXP + * Copyright 2018-2019,2023 NXP * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -77,6 +77,9 @@ using ::android::hidl::base::V1_0::IBase; #ifndef DEFAULT_BASIC_CHANNEL #define DEFAULT_BASIC_CHANNEL 0x00 #endif +#ifndef MAX_AID_LENGTH +#define MAX_AID_LENGTH 0x10 +#endif struct SecureElement : public V1_1::ISecureElement, public hidl_death_recipient { diff --git a/snxxx/1.2/SecureElement.cpp b/snxxx/1.2/SecureElement.cpp index 42f2cd2..35b84eb 100755 --- a/snxxx/1.2/SecureElement.cpp +++ b/snxxx/1.2/SecureElement.cpp @@ -1,6 +1,6 @@ /****************************************************************************** * - * Copyright 2018-2022 NXP + * Copyright 2018-2023 NXP * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -398,6 +398,11 @@ Return<void> SecureElement::openLogicalChannel(const hidl_vec<uint8_t>& aid, LogicalChannelResponse resApduBuff; resApduBuff.channelNumber = 0xff; memset(&resApduBuff, 0x00, sizeof(resApduBuff)); + if (aid.size() > MAX_AID_LENGTH) { + LOG(ERROR) << "%s: AID out of range!!!" << __func__; + _hidl_cb(resApduBuff, SecureElementStatus::FAILED); + return Void(); + } /* * Basic channel & reserved channel if any is removed @@ -597,11 +602,16 @@ Return<void> SecureElement::openLogicalChannel(const hidl_vec<uint8_t>& aid, Return<void> SecureElement::openBasicChannel(const hidl_vec<uint8_t>& aid, uint8_t p2, openBasicChannel_cb _hidl_cb) { + hidl_vec<uint8_t> result; + if (aid.size() > MAX_AID_LENGTH) { + LOG(ERROR) << "%s: AID out of range!!!" << __func__; + _hidl_cb(result, SecureElementStatus::FAILED); + return Void(); + } AutoMutex guard(seHalLock); ESESTATUS status = ESESTATUS_SUCCESS; phNxpEse_7816_cpdu_t cpdu; phNxpEse_7816_rpdu_t rpdu; - hidl_vec<uint8_t> result; hidl_vec<uint8_t> ls_aid = {0xA0, 0x00, 0x00, 0x03, 0x96, 0x41, 0x4C, 0x41, 0x01, 0x43, 0x4F, 0x52, 0x01}; diff --git a/snxxx/1.2/SecureElement.h b/snxxx/1.2/SecureElement.h index 0f503c0..198a039 100755 --- a/snxxx/1.2/SecureElement.h +++ b/snxxx/1.2/SecureElement.h @@ -1,6 +1,6 @@ /****************************************************************************** * - * Copyright 2020,2022 NXP + * Copyright 2020,2022-2023 NXP * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -80,6 +80,9 @@ using ::android::hidl::base::V1_0::IBase; #ifndef DEFAULT_BASIC_CHANNEL #define DEFAULT_BASIC_CHANNEL 0x00 #endif +#ifndef MAX_AID_LENGTH +#define MAX_AID_LENGTH 0x10 +#endif struct SecureElement : public V1_2::ISecureElement, public hidl_death_recipient { diff --git a/snxxx/aidl/SecureElement.cpp b/snxxx/aidl/SecureElement.cpp index 3790d04..7a7a5aa 100644 --- a/snxxx/aidl/SecureElement.cpp +++ b/snxxx/aidl/SecureElement.cpp @@ -307,6 +307,11 @@ ScopedAStatus SecureElement::openLogicalChannel( LogicalChannelResponse resApduBuff; resApduBuff.channelNumber = 0xff; memset(&resApduBuff, 0x00, sizeof(resApduBuff)); + if (aid.size() > MAX_AID_LENGTH) { + LOG(ERROR) << "%s: AID out of range!!!" << __func__; + *_aidl_return = resApduBuff; + return ScopedAStatus::fromServiceSpecificError(FAILED); + } /* * Basic channel & reserved channel if any is removed @@ -506,11 +511,16 @@ ScopedAStatus SecureElement::openLogicalChannel( ScopedAStatus SecureElement::openBasicChannel( const std::vector<uint8_t>& aid, int8_t p2, std::vector<uint8_t>* _aidl_return) { + std::vector<uint8_t> result; + if (aid.size() > MAX_AID_LENGTH) { + LOG(ERROR) << "%s: AID out of range!!!" << __func__; + *_aidl_return = result; + return ScopedAStatus::fromServiceSpecificError(FAILED); + } AutoMutex guard(seHalLock); ESESTATUS status = ESESTATUS_SUCCESS; phNxpEse_7816_cpdu_t cpdu; phNxpEse_7816_rpdu_t rpdu; - std::vector<uint8_t> result; if (mOpenedChannels[0]) { LOG(ERROR) << "openBasicChannel failed, channel already in use"; diff --git a/snxxx/aidl/SecureElement.h b/snxxx/aidl/SecureElement.h index 1309db0..98e8901 100644 --- a/snxxx/aidl/SecureElement.h +++ b/snxxx/aidl/SecureElement.h @@ -65,6 +65,9 @@ using ndk::ScopedAStatus; #ifndef DEFAULT_BASIC_CHANNEL #define DEFAULT_BASIC_CHANNEL 0x00 #endif +#ifndef MAX_AID_LENGTH +#define MAX_AID_LENGTH 0x10 +#endif struct SecureElement : public BnSecureElement { public: |