From c6d9000526f463bc109964b73ed751ae09fc2da7 Mon Sep 17 00:00:00 2001 From: Janis Danisevskis Date: Mon, 4 Jun 2018 17:25:45 -0700 Subject: Invalid ownership transfer in keymaster2_passthrough_context In Keymaster2PassthroughContext::ParseKeyBlob we use GetTagValue to retrieve the blobs of application id and application value. GetTagValue only fills a keymaster_blob_t with pointers to memory owned by the corresponding AuthorizationSet, however, we passed in pointers to KeymasterBob which takes ownership leading to an invalid free. This was independently reported and fixed by: Yan, Shaopu vink.shen@mediatek.corp-partner.google.com Bug: 79305673 Bug: 80554869 Change-Id: I1c8e54ba5fe1d2d6b70abc9cf95432fb1c5e55f6 --- contexts/keymaster2_passthrough_context.cpp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/contexts/keymaster2_passthrough_context.cpp b/contexts/keymaster2_passthrough_context.cpp index fe904ea..678eaaa 100644 --- a/contexts/keymaster2_passthrough_context.cpp +++ b/contexts/keymaster2_passthrough_context.cpp @@ -69,10 +69,10 @@ keymaster_error_t Keymaster2PassthroughContext::UpgradeKeyBlob( keymaster_error_t Keymaster2PassthroughContext::ParseKeyBlob(const KeymasterKeyBlob& blob, const AuthorizationSet& additional_params, UniquePtr* key) const { keymaster_key_characteristics_t characteristics = {}; - KeymasterBlob clientId; - KeymasterBlob applicationData; - KeymasterBlob* clientIdPtr = &clientId; - KeymasterBlob* applicationDataPtr = &applicationData; + keymaster_blob_t clientId; + keymaster_blob_t applicationData; + keymaster_blob_t* clientIdPtr = &clientId; + keymaster_blob_t* applicationDataPtr = &applicationData; if (!additional_params.GetTagValue(TAG_APPLICATION_ID, clientIdPtr)) { clientIdPtr = nullptr; } -- cgit v1.2.3