Merge tag 'android-12.0.0_r7' into android-11

Android 12.0.0 release 7

Change-Id: Idbc61c74c1f983c7e8c7c9269059997eefefdc4d
diff --git a/install/Android.bp b/install/Android.bp
index aa14475..ef18116 100644
--- a/install/Android.bp
+++ b/install/Android.bp
@@ -12,11 +12,21 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+package {
+    // See: http://go/android-license-faq
+    // A large-scale-change added 'default_applicable_licenses' to import
+    // all of the 'license_kinds' from "bootable_recovery_license"
+    // to get the below license kinds:
+    //   SPDX-license-identifier-Apache-2.0
+    default_applicable_licenses: ["bootable_recovery_license"],
+}
+
 cc_defaults {
     name: "libinstall_defaults",
 
     defaults: [
         "recovery_defaults",
+        "libspl_check_defaults",
     ],
 
     cflags: [
@@ -44,12 +54,51 @@
         "librecovery_utils",
         "libotautil",
         "libsnapshot_nobinder",
+        "ota_metadata_proto_cc",
 
         // external dependencies
         "libvintf",
     ],
 }
 
+cc_test_host {
+    name: "libinstall_host_unittests",
+    defaults: [
+        "libspl_check_defaults"
+    ],
+    srcs: [
+        "spl_check_unittests.cpp",
+    ],
+    static_libs: [
+        "libspl_check",
+    ],
+}
+
+cc_defaults {
+    name: "libspl_check_defaults",
+    static_libs: [
+        "libbase",
+        "ota_metadata_proto_cc",
+        "liblog",
+        "libziparchive",
+        "libz",
+        "libprotobuf-cpp-lite",
+    ],
+}
+
+cc_library_static {
+    name: "libspl_check",
+    recovery_available: true,
+    host_supported: true,
+    defaults: [
+        "libspl_check_defaults",
+    ],
+    srcs: ["spl_check.cpp"],
+    export_include_dirs: [
+        "include",
+    ],
+}
+
 cc_library_static {
     name: "libinstall",
     recovery_available: true,
@@ -68,6 +117,7 @@
         "verifier.cpp",
         "wipe_data.cpp",
         "wipe_device.cpp",
+        "spl_check.cpp",
     ],
 
     header_libs: [
diff --git a/install/include/install/spl_check.h b/install/include/install/spl_check.h
new file mode 100644
index 0000000..e0bfc62
--- /dev/null
+++ b/install/include/install/spl_check.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <string_view>
+
+#include <android-base/logging.h>
+#include <ota_metadata.pb.h>
+#include <ziparchive/zip_archive.h>
+
+bool ViolatesSPLDowngrade(const build::tools::releasetools::OtaMetadata& metadata,
+                          std::string_view current_spl);
+
+bool ViolatesSPLDowngrade(ZipArchiveHandle zip, std::string_view current_spl);
diff --git a/install/install.cpp b/install/install.cpp
index 80c4bdf..c1f14cf 100755
--- a/install/install.cpp
+++ b/install/install.cpp
@@ -47,6 +47,7 @@
 #include <android-base/unique_fd.h>
 
 #include "install/package.h"
+#include "install/spl_check.h"
 #include "install/verifier.h"
 #include "install/wipe_data.h"
 #include "otautil/error_code.h"
@@ -67,14 +68,17 @@
 // Default allocation of progress bar segments to operations
 // static constexpr int VERIFICATION_PROGRESS_TIME = 60;
 // static constexpr float VERIFICATION_PROGRESS_FRACTION = 0.25;
-
+// The charater used to separate dynamic fingerprints. e.x. sargo|aosp-sargo
+static const char* FINGERPRING_SEPARATOR = "|";
 static std::condition_variable finish_log_temperature;
+static bool isInStringList(const std::string& target_token, const std::string& str_list,
+                           const std::string& deliminator);
 
 bool ReadMetadataFromPackage(ZipArchiveHandle zip, std::map<std::string, std::string>* metadata) {
   CHECK(metadata != nullptr);
 
   static constexpr const char* METADATA_PATH = "META-INF/com/android/metadata";
-  ZipEntry entry;
+  ZipEntry64 entry;
   if (FindEntry(zip, METADATA_PATH, &entry) != 0) {
     LOG(ERROR) << "Failed to find " << METADATA_PATH;
     return false;
@@ -151,7 +155,8 @@
 
   auto device_fingerprint = android::base::GetProperty("ro.build.fingerprint", "");
   auto pkg_pre_build_fingerprint = get_value(metadata, "pre-build");
-  if (!pkg_pre_build_fingerprint.empty() && pkg_pre_build_fingerprint != device_fingerprint) {
+  if (!pkg_pre_build_fingerprint.empty() &&
+      !isInStringList(device_fingerprint, pkg_pre_build_fingerprint, FINGERPRING_SEPARATOR)) {
     LOG(ERROR) << "Package is for source build " << pkg_pre_build_fingerprint << " but expected "
                << device_fingerprint;
     return false;
@@ -199,7 +204,8 @@
 
   auto device = android::base::GetProperty("ro.product.device", "");
   auto pkg_device = get_value(metadata, "pre-device");
-  if (pkg_device != device || pkg_device.empty()) {
+  // device name can be a | separated list, so need to check
+  if (pkg_device.empty() || !isInStringList(device, pkg_device, FINGERPRING_SEPARATOR)) {
     LOG(ERROR) << "Package is for product " << pkg_device << " but expected " << device;
     return false;
   }
@@ -236,12 +242,18 @@
   // For A/B updates we extract the payload properties to a buffer and obtain the RAW payload offset
   // in the zip file.
   static constexpr const char* AB_OTA_PAYLOAD_PROPERTIES = "payload_properties.txt";
-  ZipEntry properties_entry;
+  ZipEntry64 properties_entry;
   if (FindEntry(zip, AB_OTA_PAYLOAD_PROPERTIES, &properties_entry) != 0) {
     LOG(ERROR) << "Failed to find " << AB_OTA_PAYLOAD_PROPERTIES;
     return false;
   }
-  uint32_t properties_entry_length = properties_entry.uncompressed_length;
+  auto properties_entry_length = properties_entry.uncompressed_length;
+  if (properties_entry_length > std::numeric_limits<size_t>::max()) {
+    LOG(ERROR) << "Failed to extract " << AB_OTA_PAYLOAD_PROPERTIES
+               << " because's uncompressed size exceeds size of address space. "
+               << properties_entry_length;
+    return false;
+  }
   std::vector<uint8_t> payload_properties(properties_entry_length);
   int32_t err =
       ExtractToMemory(zip, &properties_entry, payload_properties.data(), properties_entry_length);
@@ -251,7 +263,7 @@
   }
 
   static constexpr const char* AB_OTA_PAYLOAD = "payload.bin";
-  ZipEntry payload_entry;
+  ZipEntry64 payload_entry;
   if (FindEntry(zip, AB_OTA_PAYLOAD, &payload_entry) != 0) {
     LOG(ERROR) << "Failed to find " << AB_OTA_PAYLOAD;
     return false;
@@ -273,7 +285,7 @@
 
   // In non-A/B updates we extract the update binary from the package.
   static constexpr const char* UPDATE_BINARY_NAME = "META-INF/com/google/android/update-binary";
-  ZipEntry binary_entry;
+  ZipEntry64 binary_entry;
   if (FindEntry(zip, UPDATE_BINARY_NAME, &binary_entry) != 0) {
     LOG(ERROR) << "Failed to find update binary " << UPDATE_BINARY_NAME;
     return false;
@@ -337,6 +349,12 @@
       android::base::GetBoolProperty("ro.virtual_ab.allow_non_ab", false);
   bool device_only_supports_ab = device_supports_ab && !ab_device_supports_nonab;
 
+  const auto current_spl = android::base::GetProperty("ro.build.version.security_patch", "");
+  if (ViolatesSPLDowngrade(zip, current_spl)) {
+    LOG(ERROR) << "Denying OTA because it's SPL downgrade";
+    return INSTALL_ERROR;
+  }
+
   if (package_is_ab) {
     CHECK(package->GetType() == PackageType::kFile);
   }
@@ -699,3 +717,18 @@
   }
   return true;
 }
+
+// Check if `target_token` is in string `str_list`, where `str_list` is expected to be a
+// list delimited by `deliminator`
+// E.X. isInStringList("a", "a|b|c|d", "|") => true
+// E.X. isInStringList("abc", "abc", "|") => true
+static bool isInStringList(const std::string& target_token, const std::string& str_list,
+                           const std::string& deliminator) {
+  if (target_token.length() > str_list.length()) {
+    return false;
+  } else if (target_token.length() == str_list.length() || deliminator.length() == 0) {
+    return target_token == str_list;
+  }
+  auto&& list = android::base::Split(str_list, deliminator);
+  return std::find(list.begin(), list.end(), target_token) != list.end();
+}
diff --git a/install/snapshot_utils.cpp b/install/snapshot_utils.cpp
index 7235e67..336e50f 100644
--- a/install/snapshot_utils.cpp
+++ b/install/snapshot_utils.cpp
@@ -32,7 +32,7 @@
   }
 
   RecoveryUI* ui = device->GetUI();
-  auto sm = SnapshotManager::NewForFirstStageMount();
+  auto sm = SnapshotManager::New();
   if (!sm) {
     ui->Print("Could not create SnapshotManager.\n");
     return false;
@@ -57,7 +57,7 @@
     return true;
   }
 
-  auto sm = SnapshotManager::NewForFirstStageMount();
+  auto sm = SnapshotManager::New();
   if (!sm) {
     // SnapshotManager could not be created. The device is still in a
     // consistent state and can continue with the mounting of the existing
diff --git a/install/spl_check.cpp b/install/spl_check.cpp
new file mode 100644
index 0000000..c26ab82
--- /dev/null
+++ b/install/spl_check.cpp
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "install/spl_check.h"
+
+bool ViolatesSPLDowngrade(const build::tools::releasetools::OtaMetadata& metadata,
+                          std::string_view current_spl) {
+  const auto& post_spl = metadata.postcondition().security_patch_level();
+  if (current_spl.empty()) {
+    LOG(WARNING) << "Failed to get device's current security patch level. Target SPL is "
+                 << post_spl << " permitting OTA install";
+    return false;
+  }
+  // SPL(security patch level) is expected to be in format yyyy-mm-dd, e.g.  2018-05-29. Given this
+  // specific format, comparing two SPL can be done by just regular string comparison. If the format
+  // must lay out year/month/date in the exact order, and must properly prepend dates with 0(for
+  // example, 05 for May). Otherwise this comparison doesn't work. We don't expect SPL date formats
+  // to change, leave this as is.
+  if (post_spl < current_spl) {
+    LOG(ERROR) << "Current SPL: " << current_spl << " Target SPL: " << post_spl
+               << " this is considered a downgrade";
+    if (metadata.spl_downgrade() || metadata.downgrade()) {
+      LOG(WARNING)
+          << "SPL downgrade detected, but OTA package explicitly permitts this(OtaMetadata has "
+             "spl_downgrade / downgrade bit set).Permitting update anyway.Installing a SPL "
+             "downgrade OTA can cause /data fail to decrypt and device fails to boot.";
+      return false;
+    }
+    return true;
+  } else {
+    LOG(INFO) << "old spl: " << current_spl << " new spl: " << post_spl << " CHECK passes";
+  }
+  return false;
+}
+
+bool ViolatesSPLDowngrade(ZipArchiveHandle zip, std::string_view current_spl) {
+  static constexpr auto&& OTA_OTA_METADATA = "META-INF/com/android/metadata.pb";
+  ZipEntry64 metadata_entry;
+  if (FindEntry(zip, OTA_OTA_METADATA, &metadata_entry) != 0) {
+    LOG(WARNING) << "Failed to find " << OTA_OTA_METADATA
+                 << " treating this as non-spl-downgrade, permit OTA install. If device bricks "
+                    "after installing, check kernel log to see if /data failed to decrypt";
+    return false;
+  }
+  const auto metadata_entry_length = metadata_entry.uncompressed_length;
+  if (metadata_entry_length > std::numeric_limits<size_t>::max()) {
+    LOG(ERROR) << "Failed to extract " << OTA_OTA_METADATA
+               << " because's uncompressed size exceeds size of address space. "
+               << metadata_entry_length;
+    return false;
+  }
+  std::vector<uint8_t> ota_metadata(metadata_entry_length);
+  int32_t err = ExtractToMemory(zip, &metadata_entry, ota_metadata.data(), metadata_entry_length);
+  if (err != 0) {
+    LOG(ERROR) << "Failed to extract " << OTA_OTA_METADATA << ": " << ErrorCodeString(err);
+    return false;
+  }
+  using build::tools::releasetools::OtaMetadata;
+  OtaMetadata metadata;
+  if (!metadata.ParseFromArray(ota_metadata.data(), ota_metadata.size())) {
+    LOG(ERROR) << "Failed to parse ota_medata";
+    return false;
+  }
+  return ViolatesSPLDowngrade(metadata, current_spl);
+}
diff --git a/install/spl_check_unittests.cpp b/install/spl_check_unittests.cpp
new file mode 100644
index 0000000..709b69c
--- /dev/null
+++ b/install/spl_check_unittests.cpp
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <gtest/gtest.h>
+
+#include "install/spl_check.h"
+#include "ota_metadata.pb.h"
+
+using build::tools::releasetools::OtaMetadata;
+class SplCheckUnittest : public ::testing::Test {
+ public:
+  OtaMetadata metadata;
+};
+
+TEST_F(SplCheckUnittest, OlderSPL) {
+  metadata.set_spl_downgrade(false);
+  metadata.mutable_postcondition()->set_security_patch_level("2021-04-25");
+  ASSERT_TRUE(ViolatesSPLDowngrade(metadata, "2021-05-01"));
+}
+
+TEST_F(SplCheckUnittest, NewerSPL) {
+  metadata.set_spl_downgrade(false);
+  metadata.mutable_postcondition()->set_security_patch_level("2021-06-01");
+  ASSERT_FALSE(ViolatesSPLDowngrade(metadata, "2021-05-05"));
+}
+
+TEST_F(SplCheckUnittest, OlderSPLPermit) {
+  // If spl_downgrade is set to true, OTA should be permitted
+  metadata.set_spl_downgrade(true);
+  metadata.mutable_postcondition()->set_security_patch_level("2021-04-11");
+  ASSERT_FALSE(ViolatesSPLDowngrade(metadata, "2021-05-11"));
+}
\ No newline at end of file
diff --git a/install/verifier.cpp b/install/verifier.cpp
index ab75044..3f02601 100644
--- a/install/verifier.cpp
+++ b/install/verifier.cpp
@@ -321,8 +321,14 @@
   std::vector<Certificate> result;
 
   std::string_view name;
-  ZipEntry entry;
+  ZipEntry64 entry;
   while ((iter_status = Next(cookie, &entry, &name)) == 0) {
+    if (entry.uncompressed_length > std::numeric_limits<size_t>::max()) {
+      LOG(ERROR) << "Failed to extract " << name
+                 << " because's uncompressed size exceeds size of address space. "
+                 << entry.uncompressed_length;
+      return {};
+    }
     std::vector<uint8_t> pem_content(entry.uncompressed_length);
     if (int32_t extract_status =
             ExtractToMemory(handle, &entry, pem_content.data(), pem_content.size());
diff --git a/install/wipe_data.cpp b/install/wipe_data.cpp
index b2da76b..845cc95 100755
--- a/install/wipe_data.cpp
+++ b/install/wipe_data.cpp
@@ -97,14 +97,19 @@
   }
 
   // ui->Print("\n-- Wiping cache...\n");
-  bool success = EraseVolume("/cache", false);
-  // ui->Print("Cache wipe %s.\n", success ? "complete" : "failed");
+  // ui->SetBackground(RecoveryUI::ERASING);
+  // ui->SetProgressType(RecoveryUI::INDETERMINATE);
+
+  bool success = EraseVolume("/cache", ui, false);
+  ui->Print("Cache wipe %s.\n", success ? "complete" : "failed");
   return success;
 }
 
 bool WipeData(Device* device, bool convert_fbe) {
   // RecoveryUI* ui = device->GetUI();
   // ui->Print("\n-- Wiping data...\n");
+  // ui->SetBackground(RecoveryUI::ERASING);
+  // ui->SetProgressType(RecoveryUI::INDETERMINATE);
 
   // if (!FinishPendingSnapshotMerges(device)) {
   //   ui->Print("Unable to check update status or complete merge, cannot wipe partitions.\n");
diff --git a/install/wipe_device.cpp b/install/wipe_device.cpp
index d1cf89f..7944c1c 100644
--- a/install/wipe_device.cpp
+++ b/install/wipe_device.cpp
@@ -49,9 +49,14 @@
   constexpr char RECOVERY_WIPE_ENTRY_NAME[] = "recovery.wipe";
 
   std::string partition_list_content;
-  ZipEntry entry;
+  ZipEntry64 entry;
   if (FindEntry(zip, RECOVERY_WIPE_ENTRY_NAME, &entry) == 0) {
-    uint32_t length = entry.uncompressed_length;
+    auto length = entry.uncompressed_length;
+    if (length > std::numeric_limits<size_t>::max()) {
+      LOG(ERROR) << "Failed to extract " << RECOVERY_WIPE_ENTRY_NAME
+                 << " because's uncompressed size exceeds size of address space. " << length;
+      return {};
+    }
     partition_list_content = std::string(length, '\0');
     if (auto err = ExtractToMemory(
             zip, &entry, reinterpret_cast<uint8_t*>(partition_list_content.data()), length);