Gitiles
Code Review Sign In
gerrit.twrp.me / android_bootable_recovery / f69e6a9475983b2ad46729e44ab58d2b22cd74d0
commitf69e6a9475983b2ad46729e44ab58d2b22cd74d0[log] [tgz]
authorTianjie Xu <xunchang@google.com>Fri Dec 16 14:27:55 2016 -0800
committerTianjie Xu <xunchang@google.com>Fri Dec 16 16:01:42 2016 -0800
treee67d6d8b861198b42f3e46c71702630b6116042b
parentcc1ecf792f53fa6e9a7189506542bd428aa31a41 [diff]
Add a checker for signature boundary in verifier

The 'signature_start' variable marks the location of the signature
from the end of a zip archive. And a boundary check is missing where
'signature_start' should be within the EOCD comment field. This causes
problems when sideloading a malicious package. Also add a corresponding
test.

Bug: 31914369
Test: Verification fails correctly when sideloading recovery_test.zip on
angler.

Change-Id: I6ea96bf04dac5d8d4d6719e678d504f957b4d5c1
3 files changed
tree: e67d6d8b861198b42f3e46c71702630b6116042b
  1. applypatch/
  2. bootloader_message/
  3. edify/
  4. etc/
  5. fonts/
  6. minadbd/
  7. minui/
  8. otafault/
  9. otautil/
  10. res-hdpi/
  11. res-mdpi/
  12. res-xhdpi/
  13. res-xxhdpi/
  14. res-xxxhdpi/
  15. tests/
  16. tools/
  17. uncrypt/
  18. update_verifier/
  19. updater/
  20. res-560dpires-xxxhdpi
  21. .clang-format
  22. adb_install.cpp
  23. adb_install.h
  24. Android.mk
  25. asn1_decoder.cpp
  26. asn1_decoder.h
  27. bootloader.h
  28. CleanSpec.mk
  29. common.h
  30. default_device.cpp
  31. device.cpp
  32. device.h
  33. error_code.h
  34. fuse_sdcard_provider.cpp
  35. fuse_sdcard_provider.h
  36. fuse_sideload.cpp
  37. fuse_sideload.h
  38. install.cpp
  39. install.h
  40. interlace-frames.py
  41. mounts.cpp
  42. mounts.h
  43. NOTICE
  44. print_sha1.h
  45. README.md
  46. recovery-persist.cpp
  47. recovery-persist.rc
  48. recovery-refresh.cpp
  49. recovery-refresh.rc
  50. recovery.cpp
  51. roots.cpp
  52. roots.h
  53. rotate_logs.cpp
  54. rotate_logs.h
  55. screen_ui.cpp
  56. screen_ui.h
  57. stub_ui.h
  58. ui.cpp
  59. ui.h
  60. verifier.cpp
  61. verifier.h
  62. wear_touch.cpp
  63. wear_touch.h
  64. wear_ui.cpp
  65. wear_ui.h
README.md

The Recovery Image

Quick turn-around testing

mm -j && m ramdisk-nodeps && m recoveryimage-nodeps

# To boot into the new recovery image
# without flashing the recovery partition:
adb reboot bootloader
fastboot boot $ANDROID_PRODUCT_OUT/recovery.img

Running the tests

# After setting up environment and lunch.
mmma -j bootable/recovery

# Running the tests on device.
adb root
adb sync data

# 32-bit device
adb shell /data/nativetest/recovery_unit_test/recovery_unit_test
adb shell /data/nativetest/recovery_component_test/recovery_component_test

# Or 64-bit device
adb shell /data/nativetest64/recovery_unit_test/recovery_unit_test
adb shell /data/nativetest64/recovery_component_test/recovery_component_test

Running the manual tests

recovery-refresh and recovery-persist executables exist only on systems without /cache partition. And we need to follow special steps to run tests for them.

  • Execute the test on an A/B device first. The test should fail but it will log some contents to pmsg.

  • Reboot the device immediately and run the test again. The test should save the contents of pmsg buffer into /data/misc/recovery/inject.txt. Test will pass if this file has expected contents.