Merged from http://go/wvgerrit/165059
poc: http://go/ag/20978761
Fix race that corrupts mCryptoSessions std::map,
and race that occurs when CryptoSessions are used after free.
Test: poc
Test: atest MediaDrmParameterizedTests
Test: atest GtsMediaTestCases
Bug: 258189255
Change-Id: I298d3e0770ace9cd590dfaacaa4c52a0732c2fe3
Merged-In: I298d3e0770ace9cd590dfaacaa4c52a0732c2fe3
build
This is a merge of CL from widevine repo (obfuscated code only):
https://widevine-internal-review.googlesource.com/c/cdm/+/125003
Original commit message from the fix above:
"A fix in haystack which wipes out mmapped memory page before unmapping
it is made here: cl/370818768. This is to prevent potential key leaking
in L3. Obfuscated L3 is generated on top of the fix.
Additionally, new system IDs are created to track the L3 build with this
fix. These IDs are built into the updated L3 libraries in this CL also."
New L3 system IDs included in the obfuscated code:
ID Description
22565 - Android ARM 64 L3 Field Provisioning 2021
22566 - Android ARM L3 Field Provisioning 2021
22569 - Android x86 64 L3 Field Provisioning 2021
22570 - Android x86 L3 Field Provisioning 2021
Bug: 182584472
Test: L3 unit tests
Test: GTS tests
run gts --module GtsMediaTestCases
run gts --module GtsExoPlayerTestCases
run gts --module GtsYouTubeTestCases
Change-Id: Ice316de67fac0a5f9f4f2b64d86f51cf4ff2ad07
build
This is a merge of CL from widevine repo (obfuscated code only):
https://widevine-internal-review.googlesource.com/c/cdm/+/124885
The source code change that produced the obfucated code is also included
in the CL above but will not be merged to Android.
Original commit message from the fix above:
"This is a security improvement against an L3 exploit b/182584472.
The change is to store RSA private key in two parts instead of one,
and load it separately when the key is needed. This will make it
more difficult to find the entire RSA key.
This CL does the key loading part only. Key splitting is done
in Haystack in CL: cl/367515385"
New L3 system IDs included in the obfuscated code:
ID Description
22585 Android Q ARM L3 Field Provisioning 3.0
22586 Android Q ARM 64 L3 Field Provisioning 3.0
22587 Android Q x86 L3 Field Provisioning 3.0
22588 Android Q x86 64 L3 Field Provisioning 3.0
Bug: 182584472
Test: L3 unit tests
Test: GTS tests
run gts --module GtsMediaTestCases
run gts --module GtsExoPlayerTestCases
run gts --module GtsYouTubeTestCases
Change-Id: I834d3802690c2fda75cb3cfba186c41b6f5dc749
build
This is a merge of CL from widevine repo (obfuscated code only):
https://widevine-internal-review.googlesource.com/c/cdm/+/124623
The source code change that produced the obfucated code is also included
in the CL above but will not be merged to Android.
Original commit message from the fix above:
"This is a security improvement against an L3 exploit b/182584472.
The change is to store RSA private key in two parts instead of one,
and load it separately when the key is needed. This will make it
more difficult to find the entire RSA key.
This CL does the key loading part only. Key splitting is done
in Haystack in CL: cl/367515385"
New L3 system IDs included in the obfuscated code:
22589 Android R ARM L3 Field Provisioning 3.0
22590 Android R ARM 64 L3 Field Provisioning 3.0
22591 Android R x86 L3 Field Provisioning 3.0
22592 Android R x86 64 L3 Field Provisioning 3.0
Bug: 182584472
Test: L3 unit tests
Test: GTS tests
run gts --module GtsMediaTestCases
run gts --module GtsExoPlayerTestCases
run gts --module GtsYouTubeTestCases
Change-Id: Ie61f39f50a70ab75547d75f89d9e38264f598bc8
rvc-dev
Merge of [http://go/wvgerrit/123644]. Fix included:
http://go/wvgerrit/111603
Fix L3 block offset test and re-enable buffer overflow tests
http://go/wvgerrit/111784
Fix heap overflow test in L3 and OEMCrypto ref
Test: Ran L3 unit tests
Test:
gts-tradefed run gts --module GtsMediaTestCases
gts-tradefed run gts --module GtsExoPlayerTestCases
Bug: 182584472
Change-Id: I70bda559c4b5158c3461dcdfee72a8953f31a942
The shared memory buffer used by srcPtr can be freed by another
thread because it is not protected by a mutex. Subsequently,
a use after free AIGABRT can occur in a race condition.
SafetyNet logging is not added to avoid log spamming. The
mutex lock is called to setup for decryption, which is
called frequently.
The crash was reproduced on the device before the fix.
Verified the test passes after the fix.
Test: sts
sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176495665#testPocBug_176495665
Test: push to device with target_hwasan-userdebug build
adb shell /data/local/tmp/Bug-176495665_sts64
Bug: 176495665
Bug: 176444161
Change-Id: Ib54b4a86230300e7a3e4771ac091218f0024c323
This reverts commit 93dd56bae2.
Reason for revert: <missing thread_annotation header>
[RESTRICT AUTOMERGE] Fix WVCryptoPlugin use after free vulnerability.
The shared memory buffer used by srcPtr can be freed by another
thread because it is not protected by a mutex. Subsequently,
a use after free AIGABRT can occur in a race condition.
SafetyNet logging is not added to avoid log spamming. The
mutex lock is called to setup for decryption, which is
called frequently.
The crash was reproduced on the device before the fix.
Verified the test passes after the fix.
Test: sts
sts-tradefed run sts-engbuild-no-spl-lock -m StsHostTestCases --test android.security.sts.Bug_176495665#testPocBug_176495665
Test: push to device with target_hwasan-userdebug build
adb shell /data/local/tmp/Bug-176495665_sts64
Bug: 176495665
Bug: 176444161
Change-Id: Ieadd74a3cae024184b1a73ba8f3a640af74f1cf1
