diff options
author | Janis Danisevskis <jdanis@google.com> | 2018-06-04 17:25:45 -0700 |
---|---|---|
committer | Janis Danisevskis <jdanis@google.com> | 2018-06-04 17:44:58 -0700 |
commit | c6d9000526f463bc109964b73ed751ae09fc2da7 (patch) | |
tree | 6dbc19849752c206e135ab59349ebb1cc62bb435 | |
parent | a1a25ff30e8e9f46d4da72bac672469352c839bb (diff) | |
download | keymaster-pie-qpr2-release.tar.gz |
Invalid ownership transfer in keymaster2_passthrough_contextandroid-9.0.0_r47android-9.0.0_r46android-9.0.0_r45android-9.0.0_r44android-9.0.0_r43android-9.0.0_r42android-9.0.0_r41android-9.0.0_r40android-9.0.0_r39android-9.0.0_r38android-9.0.0_r37android-9.0.0_r36android-9.0.0_r35android-9.0.0_r34android-9.0.0_r33android-9.0.0_r32android-9.0.0_r31android-9.0.0_r30android-9.0.0_r22android-9.0.0_r21android-9.0.0_r20android-9.0.0_r19android-9.0.0_r16pie-qpr3-s1-releasepie-qpr3-releasepie-qpr3-b-releasepie-qpr2-releasepie-qpr1-s3-releasepie-qpr1-s2-releasepie-qpr1-s1-releasepie-qpr1-releasepie-dr1-devpie-devpie-b4s4-releasepie-b4s4-dev
In Keymaster2PassthroughContext::ParseKeyBlob we use GetTagValue to
retrieve the blobs of application id and application value. GetTagValue
only fills a keymaster_blob_t with pointers to memory owned by the
corresponding AuthorizationSet, however, we passed in pointers to
KeymasterBob which takes ownership leading to an invalid free.
This was independently reported and fixed by:
Yan, Shaopu <shaopu.yan@intel.com>
vink.shen@mediatek.corp-partner.google.com
Bug: 79305673
Bug: 80554869
Change-Id: I1c8e54ba5fe1d2d6b70abc9cf95432fb1c5e55f6
-rw-r--r-- | contexts/keymaster2_passthrough_context.cpp | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/contexts/keymaster2_passthrough_context.cpp b/contexts/keymaster2_passthrough_context.cpp index fe904ea..678eaaa 100644 --- a/contexts/keymaster2_passthrough_context.cpp +++ b/contexts/keymaster2_passthrough_context.cpp @@ -69,10 +69,10 @@ keymaster_error_t Keymaster2PassthroughContext::UpgradeKeyBlob( keymaster_error_t Keymaster2PassthroughContext::ParseKeyBlob(const KeymasterKeyBlob& blob, const AuthorizationSet& additional_params, UniquePtr<Key>* key) const { keymaster_key_characteristics_t characteristics = {}; - KeymasterBlob clientId; - KeymasterBlob applicationData; - KeymasterBlob* clientIdPtr = &clientId; - KeymasterBlob* applicationDataPtr = &applicationData; + keymaster_blob_t clientId; + keymaster_blob_t applicationData; + keymaster_blob_t* clientIdPtr = &clientId; + keymaster_blob_t* applicationDataPtr = &applicationData; if (!additional_params.GetTagValue(TAG_APPLICATION_ID, clientIdPtr)) { clientIdPtr = nullptr; } |