build
This is a merge of CL from widevine repo (obfuscated code only):
https://widevine-internal-review.googlesource.com/c/cdm/+/124623
The source code change that produced the obfucated code is also included
in the CL above but will not be merged to Android.
Original commit message from the fix above:
"This is a security improvement against an L3 exploit b/182584472.
The change is to store RSA private key in two parts instead of one,
and load it separately when the key is needed. This will make it
more difficult to find the entire RSA key.
This CL does the key loading part only. Key splitting is done
in Haystack in CL: cl/367515385"
New L3 system IDs included in the obfuscated code:
22589 Android R ARM L3 Field Provisioning 3.0
22590 Android R ARM 64 L3 Field Provisioning 3.0
22591 Android R x86 L3 Field Provisioning 3.0
22592 Android R x86 64 L3 Field Provisioning 3.0
Bug: 182584472
Test: L3 unit tests
Test: GTS tests
run gts --module GtsMediaTestCases
run gts --module GtsExoPlayerTestCases
run gts --module GtsYouTubeTestCases
Change-Id: Ie61f39f50a70ab75547d75f89d9e38264f598bc8
build
This is a merge of CL from widevine repo (obfuscated code only):
https://widevine-internal-review.googlesource.com/c/cdm/+/124886
The source code change that produced the obfucated code is also included
in the CL above but will not be merged to Android.
Original commit message from the fix above:
"This is a security improvement against an L3 exploit b/182584472.
The change is to store RSA private key in two parts instead of one,
and load it separately when the key is needed. This will make it
more difficult to find the entire RSA key.
This CL does the key loading part only. Key splitting is done
in Haystack in CL: cl/367515385"
New L3 system IDs included in the obfuscated code:
22589 Android R ARM L3 Field Provisioning 3.0
22590 Android R ARM 64 L3 Field Provisioning 3.0
22591 Android R x86 L3 Field Provisioning 3.0
22592 Android R x86 64 L3 Field Provisioning 3.0
Bug: 182584472
Test: L3 unit tests
Test: GTS tests
run gts --module GtsMediaTestCases
run gts --module GtsExoPlayerTestCases
run gts --module GtsYouTubeTestCases
Change-Id: Ide6962fcaf902bcf31431f9067a89ad75087add6
rvc-dev
Merge of [http://go/wvgerrit/123644]. Fix included:
http://go/wvgerrit/111603
Fix L3 block offset test and re-enable buffer overflow tests
http://go/wvgerrit/111784
Fix heap overflow test in L3 and OEMCrypto ref
Test: Ran L3 unit tests
Test:
gts-tradefed run gts --module GtsMediaTestCases
gts-tradefed run gts --module GtsExoPlayerTestCases
Bug: 182584472
Change-Id: I70bda559c4b5158c3461dcdfee72a8953f31a942
The shared memory buffer used by srcPtr can be freed by another
thread because it is not protected by a mutex. Subsequently,
a use after free AIGABRT can occur in a race condition.
SafetyNet logging is not added to avoid log spamming. The
mutex lock is called to setup for decryption, which is
called frequently.
The crash was reproduced on the device before the fix.
Verified the test passes after the fix.
Test: sts
sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176495665#testPocBug_176495665
Test: push to device with target_hwasan-userdebug build
adb shell /data/local/tmp/Bug-176495665_sts64
Bug: 176495665
Bug: 176444161
Change-Id: Ie1aca0ceacb4b7a1b6e473b823541607a36d8cb4
Merged-In: If62b73a9c636048f942a2fc63a13b5bfd1e57b86
The shared memory buffer used by srcPtr can be freed by another
thread because it is not protected by a mutex. Subsequently,
a use after free AIGABRT can occur in a race condition.
SafetyNet logging is not added to avoid log spamming. The
mutex lock is called to setup for decryption, which is
called frequently.
The crash was reproduced on the device before the fix.
Verified the test passes after the fix.
Test: sts
sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176495665#testPocBug_176495665
Test: push to device with target_hwasan-userdebug build
adb shell /data/local/tmp/Bug-176495665_sts64
Bug: 176495665
Bug: 176444161
Change-Id: Ie1aca0ceacb4b7a1b6e473b823541607a36d8cb4
There is a potential integer overflow to bypass the
destination base size check in decrypt. The destPtr
can then point to the outside of the destination buffer.
Test: sts-tradefed
sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176444622#testPocBug_176444622
Test: push to device with target_hwasan-userdebug build
adb shell /data/local/tmp/Bug-17644462264
Bug: 176444622
Bug: 176496353
Change-Id: Id3aece61d46d548c304782d4e1dc3a4747795c01
Merged-In: Id3aece61d46d548c304782d4e1dc3a4747795c01
There is a potential integer overflow to bypass the
destination base size check in decrypt. The destPtr
can then point to the outside of the destination buffer.
Test: sts-tradefed
sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176444622#testPocBug_176444622
Test: push to device with target_hwasan-userdebug build
adb shell /data/local/tmp/Bug-17644462264
Bug: 176444622
Bug: 176496353
Change-Id: Id3aece61d46d548c304782d4e1dc3a4747795c01
Merged-In: Id3aece61d46d548c304782d4e1dc3a4747795c01
Merged from http://go/wvgerrit/114903
There is a potential integer overflow to bypass the
source base size check in decrypt. The source pointer
can then point to the outside of the source buffer,
which could potentially leak arbitrary memory content
to destination pointer.
Test: sts-tradefed
sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176496160#testPocBug_176496160
Test: push to device with target_hwasan-userdebug build
adb shell /data/local/tmp/Bug-17649616064
Bug: 176496160
Bug: 176444786
Change-Id: I0a15d86a87fbf590f39ddf2ce218c83eacb0174e
Merged from http://go/wvgerrit/114903
There is a potential integer overflow to bypass the
source base size check in decrypt. The source pointer
can then point to the outside of the source buffer,
which could potentially leak arbitrary memory content
to destination pointer.
Test: sts-tradefed
sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176496160#testPocBug_176496160
Test: push to device with target_hwasan-userdebug build
adb shell /data/local/tmp/Bug-17649616064
Bug: 176496160
Bug: 176444786
Change-Id: I208e0d5d949e8ef003fcf7d6f129eab66b9b3656
Merged from http://go/wvgerrit/114903
There is a potential integer overflow to bypass the
source base size check in decrypt. The source pointer
can then point to the outside of the source buffer,
which could potentially leak arbitrary memory content
to destination pointer.
Test: sts-tradefed
sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176496160#testPocBug_176496160
Test: push to device with target_hwasan-userdebug build
adb shell /data/local/tmp/Bug-17649616064
Bug: 176496160
Bug: 176444786
Change-Id: I208e0d5d949e8ef003fcf7d6f129eab66b9b3656
[ Merge of http://go/wvgerrit/110603 and http://go/ag/13139808 ]
Qualcomm SoC may report 10085 (RSASSA-PSS signature error) when
OEMCrypto_PrepareAndSignLicenseRequest is called. The app needs to
reprovision (or the user needs to factory reset their device) in order
to recover.
If the 10085 error is returned, the app currently will get a
MediaDrmStateException. The app has no way to be able to tell
whether this is due to the 10085 error or some other error.
This change returns a NEED_PROVISIONING error at the CDM level, which
will result in the app receiving a NotProvisionedException when
MediaDrm.getKeyRequest is called.
Bug: 174375589
Test: GtsMediaTestCases, WV unit/integration tests
Change-Id: I4f2884c8a5fd88ab2e9bfbc0731a20e58cec0f36
[ Merge of http://go/wvgerrit/106325 and http://go/ag/12644840 ]
When offline licenses are restored, licenses and any renewals are processed.
License state evaluation occurs and notifications are sent to listeners.
If the license is expired, which is likely if a renewal is present,
the license state will transition to expired. Transitions out of
expired state are not allowed and the renewal has no effect.
If we work around this by allowing transitions out of expired state,
listeners will get notifications that keys have expired and then that are
usable soon after. To avoid delivering erroneous notifications we delay
evaluation of license state while the license and renewal are being processed.
Evaluation occurs at the last stage of license restoration when playback
information from the usage table is being restored.
This only need to occur for when licenses are being restored. In other
cases when a license or renewal is received, license state evaluation
and event listener notification needs to occur immediately.
Bug: 166131956
Test: WV unit/integration tests, GtsMediaTestCases tests
Change-Id: Ic8ade25316c5e20cc88de9225c43c24b28f21ac4
Merge from Widevine repo of http://go/wvgerrit/105347
When reloading an offline license that has an offline renewal, we sign
a unused renewal so that the ODK library can update its clock values.
Test: WV unit/integration tests, GtsMediaTestCases tests
Bug: 166131956
Change-Id: Ib1445fd85222489f21221e00729d4989cb49a331
