Merge tag 'android-12.0.0_r7' into android-11
Android 12.0.0 release 7
Change-Id: Idbc61c74c1f983c7e8c7c9269059997eefefdc4d
diff --git a/install/Android.bp b/install/Android.bp
index aa14475..ef18116 100644
--- a/install/Android.bp
+++ b/install/Android.bp
@@ -12,11 +12,21 @@
// See the License for the specific language governing permissions and
// limitations under the License.
+package {
+ // See: http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // all of the 'license_kinds' from "bootable_recovery_license"
+ // to get the below license kinds:
+ // SPDX-license-identifier-Apache-2.0
+ default_applicable_licenses: ["bootable_recovery_license"],
+}
+
cc_defaults {
name: "libinstall_defaults",
defaults: [
"recovery_defaults",
+ "libspl_check_defaults",
],
cflags: [
@@ -44,12 +54,51 @@
"librecovery_utils",
"libotautil",
"libsnapshot_nobinder",
+ "ota_metadata_proto_cc",
// external dependencies
"libvintf",
],
}
+cc_test_host {
+ name: "libinstall_host_unittests",
+ defaults: [
+ "libspl_check_defaults"
+ ],
+ srcs: [
+ "spl_check_unittests.cpp",
+ ],
+ static_libs: [
+ "libspl_check",
+ ],
+}
+
+cc_defaults {
+ name: "libspl_check_defaults",
+ static_libs: [
+ "libbase",
+ "ota_metadata_proto_cc",
+ "liblog",
+ "libziparchive",
+ "libz",
+ "libprotobuf-cpp-lite",
+ ],
+}
+
+cc_library_static {
+ name: "libspl_check",
+ recovery_available: true,
+ host_supported: true,
+ defaults: [
+ "libspl_check_defaults",
+ ],
+ srcs: ["spl_check.cpp"],
+ export_include_dirs: [
+ "include",
+ ],
+}
+
cc_library_static {
name: "libinstall",
recovery_available: true,
@@ -68,6 +117,7 @@
"verifier.cpp",
"wipe_data.cpp",
"wipe_device.cpp",
+ "spl_check.cpp",
],
header_libs: [
diff --git a/install/include/install/spl_check.h b/install/include/install/spl_check.h
new file mode 100644
index 0000000..e0bfc62
--- /dev/null
+++ b/install/include/install/spl_check.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <string_view>
+
+#include <android-base/logging.h>
+#include <ota_metadata.pb.h>
+#include <ziparchive/zip_archive.h>
+
+bool ViolatesSPLDowngrade(const build::tools::releasetools::OtaMetadata& metadata,
+ std::string_view current_spl);
+
+bool ViolatesSPLDowngrade(ZipArchiveHandle zip, std::string_view current_spl);
diff --git a/install/install.cpp b/install/install.cpp
index 80c4bdf..c1f14cf 100755
--- a/install/install.cpp
+++ b/install/install.cpp
@@ -47,6 +47,7 @@
#include <android-base/unique_fd.h>
#include "install/package.h"
+#include "install/spl_check.h"
#include "install/verifier.h"
#include "install/wipe_data.h"
#include "otautil/error_code.h"
@@ -67,14 +68,17 @@
// Default allocation of progress bar segments to operations
// static constexpr int VERIFICATION_PROGRESS_TIME = 60;
// static constexpr float VERIFICATION_PROGRESS_FRACTION = 0.25;
-
+// The charater used to separate dynamic fingerprints. e.x. sargo|aosp-sargo
+static const char* FINGERPRING_SEPARATOR = "|";
static std::condition_variable finish_log_temperature;
+static bool isInStringList(const std::string& target_token, const std::string& str_list,
+ const std::string& deliminator);
bool ReadMetadataFromPackage(ZipArchiveHandle zip, std::map<std::string, std::string>* metadata) {
CHECK(metadata != nullptr);
static constexpr const char* METADATA_PATH = "META-INF/com/android/metadata";
- ZipEntry entry;
+ ZipEntry64 entry;
if (FindEntry(zip, METADATA_PATH, &entry) != 0) {
LOG(ERROR) << "Failed to find " << METADATA_PATH;
return false;
@@ -151,7 +155,8 @@
auto device_fingerprint = android::base::GetProperty("ro.build.fingerprint", "");
auto pkg_pre_build_fingerprint = get_value(metadata, "pre-build");
- if (!pkg_pre_build_fingerprint.empty() && pkg_pre_build_fingerprint != device_fingerprint) {
+ if (!pkg_pre_build_fingerprint.empty() &&
+ !isInStringList(device_fingerprint, pkg_pre_build_fingerprint, FINGERPRING_SEPARATOR)) {
LOG(ERROR) << "Package is for source build " << pkg_pre_build_fingerprint << " but expected "
<< device_fingerprint;
return false;
@@ -199,7 +204,8 @@
auto device = android::base::GetProperty("ro.product.device", "");
auto pkg_device = get_value(metadata, "pre-device");
- if (pkg_device != device || pkg_device.empty()) {
+ // device name can be a | separated list, so need to check
+ if (pkg_device.empty() || !isInStringList(device, pkg_device, FINGERPRING_SEPARATOR)) {
LOG(ERROR) << "Package is for product " << pkg_device << " but expected " << device;
return false;
}
@@ -236,12 +242,18 @@
// For A/B updates we extract the payload properties to a buffer and obtain the RAW payload offset
// in the zip file.
static constexpr const char* AB_OTA_PAYLOAD_PROPERTIES = "payload_properties.txt";
- ZipEntry properties_entry;
+ ZipEntry64 properties_entry;
if (FindEntry(zip, AB_OTA_PAYLOAD_PROPERTIES, &properties_entry) != 0) {
LOG(ERROR) << "Failed to find " << AB_OTA_PAYLOAD_PROPERTIES;
return false;
}
- uint32_t properties_entry_length = properties_entry.uncompressed_length;
+ auto properties_entry_length = properties_entry.uncompressed_length;
+ if (properties_entry_length > std::numeric_limits<size_t>::max()) {
+ LOG(ERROR) << "Failed to extract " << AB_OTA_PAYLOAD_PROPERTIES
+ << " because's uncompressed size exceeds size of address space. "
+ << properties_entry_length;
+ return false;
+ }
std::vector<uint8_t> payload_properties(properties_entry_length);
int32_t err =
ExtractToMemory(zip, &properties_entry, payload_properties.data(), properties_entry_length);
@@ -251,7 +263,7 @@
}
static constexpr const char* AB_OTA_PAYLOAD = "payload.bin";
- ZipEntry payload_entry;
+ ZipEntry64 payload_entry;
if (FindEntry(zip, AB_OTA_PAYLOAD, &payload_entry) != 0) {
LOG(ERROR) << "Failed to find " << AB_OTA_PAYLOAD;
return false;
@@ -273,7 +285,7 @@
// In non-A/B updates we extract the update binary from the package.
static constexpr const char* UPDATE_BINARY_NAME = "META-INF/com/google/android/update-binary";
- ZipEntry binary_entry;
+ ZipEntry64 binary_entry;
if (FindEntry(zip, UPDATE_BINARY_NAME, &binary_entry) != 0) {
LOG(ERROR) << "Failed to find update binary " << UPDATE_BINARY_NAME;
return false;
@@ -337,6 +349,12 @@
android::base::GetBoolProperty("ro.virtual_ab.allow_non_ab", false);
bool device_only_supports_ab = device_supports_ab && !ab_device_supports_nonab;
+ const auto current_spl = android::base::GetProperty("ro.build.version.security_patch", "");
+ if (ViolatesSPLDowngrade(zip, current_spl)) {
+ LOG(ERROR) << "Denying OTA because it's SPL downgrade";
+ return INSTALL_ERROR;
+ }
+
if (package_is_ab) {
CHECK(package->GetType() == PackageType::kFile);
}
@@ -699,3 +717,18 @@
}
return true;
}
+
+// Check if `target_token` is in string `str_list`, where `str_list` is expected to be a
+// list delimited by `deliminator`
+// E.X. isInStringList("a", "a|b|c|d", "|") => true
+// E.X. isInStringList("abc", "abc", "|") => true
+static bool isInStringList(const std::string& target_token, const std::string& str_list,
+ const std::string& deliminator) {
+ if (target_token.length() > str_list.length()) {
+ return false;
+ } else if (target_token.length() == str_list.length() || deliminator.length() == 0) {
+ return target_token == str_list;
+ }
+ auto&& list = android::base::Split(str_list, deliminator);
+ return std::find(list.begin(), list.end(), target_token) != list.end();
+}
diff --git a/install/snapshot_utils.cpp b/install/snapshot_utils.cpp
index 7235e67..336e50f 100644
--- a/install/snapshot_utils.cpp
+++ b/install/snapshot_utils.cpp
@@ -32,7 +32,7 @@
}
RecoveryUI* ui = device->GetUI();
- auto sm = SnapshotManager::NewForFirstStageMount();
+ auto sm = SnapshotManager::New();
if (!sm) {
ui->Print("Could not create SnapshotManager.\n");
return false;
@@ -57,7 +57,7 @@
return true;
}
- auto sm = SnapshotManager::NewForFirstStageMount();
+ auto sm = SnapshotManager::New();
if (!sm) {
// SnapshotManager could not be created. The device is still in a
// consistent state and can continue with the mounting of the existing
diff --git a/install/spl_check.cpp b/install/spl_check.cpp
new file mode 100644
index 0000000..c26ab82
--- /dev/null
+++ b/install/spl_check.cpp
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "install/spl_check.h"
+
+bool ViolatesSPLDowngrade(const build::tools::releasetools::OtaMetadata& metadata,
+ std::string_view current_spl) {
+ const auto& post_spl = metadata.postcondition().security_patch_level();
+ if (current_spl.empty()) {
+ LOG(WARNING) << "Failed to get device's current security patch level. Target SPL is "
+ << post_spl << " permitting OTA install";
+ return false;
+ }
+ // SPL(security patch level) is expected to be in format yyyy-mm-dd, e.g. 2018-05-29. Given this
+ // specific format, comparing two SPL can be done by just regular string comparison. If the format
+ // must lay out year/month/date in the exact order, and must properly prepend dates with 0(for
+ // example, 05 for May). Otherwise this comparison doesn't work. We don't expect SPL date formats
+ // to change, leave this as is.
+ if (post_spl < current_spl) {
+ LOG(ERROR) << "Current SPL: " << current_spl << " Target SPL: " << post_spl
+ << " this is considered a downgrade";
+ if (metadata.spl_downgrade() || metadata.downgrade()) {
+ LOG(WARNING)
+ << "SPL downgrade detected, but OTA package explicitly permitts this(OtaMetadata has "
+ "spl_downgrade / downgrade bit set).Permitting update anyway.Installing a SPL "
+ "downgrade OTA can cause /data fail to decrypt and device fails to boot.";
+ return false;
+ }
+ return true;
+ } else {
+ LOG(INFO) << "old spl: " << current_spl << " new spl: " << post_spl << " CHECK passes";
+ }
+ return false;
+}
+
+bool ViolatesSPLDowngrade(ZipArchiveHandle zip, std::string_view current_spl) {
+ static constexpr auto&& OTA_OTA_METADATA = "META-INF/com/android/metadata.pb";
+ ZipEntry64 metadata_entry;
+ if (FindEntry(zip, OTA_OTA_METADATA, &metadata_entry) != 0) {
+ LOG(WARNING) << "Failed to find " << OTA_OTA_METADATA
+ << " treating this as non-spl-downgrade, permit OTA install. If device bricks "
+ "after installing, check kernel log to see if /data failed to decrypt";
+ return false;
+ }
+ const auto metadata_entry_length = metadata_entry.uncompressed_length;
+ if (metadata_entry_length > std::numeric_limits<size_t>::max()) {
+ LOG(ERROR) << "Failed to extract " << OTA_OTA_METADATA
+ << " because's uncompressed size exceeds size of address space. "
+ << metadata_entry_length;
+ return false;
+ }
+ std::vector<uint8_t> ota_metadata(metadata_entry_length);
+ int32_t err = ExtractToMemory(zip, &metadata_entry, ota_metadata.data(), metadata_entry_length);
+ if (err != 0) {
+ LOG(ERROR) << "Failed to extract " << OTA_OTA_METADATA << ": " << ErrorCodeString(err);
+ return false;
+ }
+ using build::tools::releasetools::OtaMetadata;
+ OtaMetadata metadata;
+ if (!metadata.ParseFromArray(ota_metadata.data(), ota_metadata.size())) {
+ LOG(ERROR) << "Failed to parse ota_medata";
+ return false;
+ }
+ return ViolatesSPLDowngrade(metadata, current_spl);
+}
diff --git a/install/spl_check_unittests.cpp b/install/spl_check_unittests.cpp
new file mode 100644
index 0000000..709b69c
--- /dev/null
+++ b/install/spl_check_unittests.cpp
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <gtest/gtest.h>
+
+#include "install/spl_check.h"
+#include "ota_metadata.pb.h"
+
+using build::tools::releasetools::OtaMetadata;
+class SplCheckUnittest : public ::testing::Test {
+ public:
+ OtaMetadata metadata;
+};
+
+TEST_F(SplCheckUnittest, OlderSPL) {
+ metadata.set_spl_downgrade(false);
+ metadata.mutable_postcondition()->set_security_patch_level("2021-04-25");
+ ASSERT_TRUE(ViolatesSPLDowngrade(metadata, "2021-05-01"));
+}
+
+TEST_F(SplCheckUnittest, NewerSPL) {
+ metadata.set_spl_downgrade(false);
+ metadata.mutable_postcondition()->set_security_patch_level("2021-06-01");
+ ASSERT_FALSE(ViolatesSPLDowngrade(metadata, "2021-05-05"));
+}
+
+TEST_F(SplCheckUnittest, OlderSPLPermit) {
+ // If spl_downgrade is set to true, OTA should be permitted
+ metadata.set_spl_downgrade(true);
+ metadata.mutable_postcondition()->set_security_patch_level("2021-04-11");
+ ASSERT_FALSE(ViolatesSPLDowngrade(metadata, "2021-05-11"));
+}
\ No newline at end of file
diff --git a/install/verifier.cpp b/install/verifier.cpp
index ab75044..3f02601 100644
--- a/install/verifier.cpp
+++ b/install/verifier.cpp
@@ -321,8 +321,14 @@
std::vector<Certificate> result;
std::string_view name;
- ZipEntry entry;
+ ZipEntry64 entry;
while ((iter_status = Next(cookie, &entry, &name)) == 0) {
+ if (entry.uncompressed_length > std::numeric_limits<size_t>::max()) {
+ LOG(ERROR) << "Failed to extract " << name
+ << " because's uncompressed size exceeds size of address space. "
+ << entry.uncompressed_length;
+ return {};
+ }
std::vector<uint8_t> pem_content(entry.uncompressed_length);
if (int32_t extract_status =
ExtractToMemory(handle, &entry, pem_content.data(), pem_content.size());
diff --git a/install/wipe_data.cpp b/install/wipe_data.cpp
index b2da76b..845cc95 100755
--- a/install/wipe_data.cpp
+++ b/install/wipe_data.cpp
@@ -97,14 +97,19 @@
}
// ui->Print("\n-- Wiping cache...\n");
- bool success = EraseVolume("/cache", false);
- // ui->Print("Cache wipe %s.\n", success ? "complete" : "failed");
+ // ui->SetBackground(RecoveryUI::ERASING);
+ // ui->SetProgressType(RecoveryUI::INDETERMINATE);
+
+ bool success = EraseVolume("/cache", ui, false);
+ ui->Print("Cache wipe %s.\n", success ? "complete" : "failed");
return success;
}
bool WipeData(Device* device, bool convert_fbe) {
// RecoveryUI* ui = device->GetUI();
// ui->Print("\n-- Wiping data...\n");
+ // ui->SetBackground(RecoveryUI::ERASING);
+ // ui->SetProgressType(RecoveryUI::INDETERMINATE);
// if (!FinishPendingSnapshotMerges(device)) {
// ui->Print("Unable to check update status or complete merge, cannot wipe partitions.\n");
diff --git a/install/wipe_device.cpp b/install/wipe_device.cpp
index d1cf89f..7944c1c 100644
--- a/install/wipe_device.cpp
+++ b/install/wipe_device.cpp
@@ -49,9 +49,14 @@
constexpr char RECOVERY_WIPE_ENTRY_NAME[] = "recovery.wipe";
std::string partition_list_content;
- ZipEntry entry;
+ ZipEntry64 entry;
if (FindEntry(zip, RECOVERY_WIPE_ENTRY_NAME, &entry) == 0) {
- uint32_t length = entry.uncompressed_length;
+ auto length = entry.uncompressed_length;
+ if (length > std::numeric_limits<size_t>::max()) {
+ LOG(ERROR) << "Failed to extract " << RECOVERY_WIPE_ENTRY_NAME
+ << " because's uncompressed size exceeds size of address space. " << length;
+ return {};
+ }
partition_list_content = std::string(length, '\0');
if (auto err = ExtractToMemory(
zip, &entry, reinterpret_cast<uint8_t*>(partition_list_content.data()), length);