From 2ffca13ae484c15087ddd14f69d3e593b51fc904 Mon Sep 17 00:00:00 2001 From: Charles He Date: Thu, 24 Nov 2016 14:05:00 +0000 Subject: Prevent writing to FRP partition during factory reset. Avoid potential race condition between FRP wipe and write operations during factory reset by making the FRP partition unwritable after wipe. Bug: 30352311 Test: manual CVE-2017-0498 Change-Id: If3f024a1611366c0677a996705724458094fcfad (cherry picked from commit a629c772f4a7a5ddf7ff9f78fb19f7ab86c2a9c2) (cherry picked from commit a9437bd1caeeb38780d920a81bde8cc7ca280fe0) (cherry picked from commit 1c4d535d0806dbeb6d2fa5cea0373cbd9ab6d33b) --- .../android/server/PersistentDataBlockService.java | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) (limited to 'services/core/java/com/android/server/PersistentDataBlockService.java') diff --git a/services/core/java/com/android/server/PersistentDataBlockService.java b/services/core/java/com/android/server/PersistentDataBlockService.java index 94316fe..32b183b 100644 --- a/services/core/java/com/android/server/PersistentDataBlockService.java +++ b/services/core/java/com/android/server/PersistentDataBlockService.java @@ -50,15 +50,14 @@ import java.util.Arrays; * This data will live across factory resets not initiated via the Settings UI. * When a device is factory reset through Settings this data is wiped. * - * Allows writing one block at a time. Namely, each time - * {@link android.service.persistentdata.IPersistentDataBlockService}.write(byte[] data) - * is called, it will overwite the data that was previously written on the block. + * Allows writing one block at a time. Namely, each time {@link IPersistentDataBlockService#write} + * is called, it will overwrite the data that was previously written on the block. * * Clients can query the size of the currently written block via - * {@link android.service.persistentdata.IPersistentDataBlockService}.getTotalDataSize(). + * {@link IPersistentDataBlockService#getDataBlockSize} * - * Clients can any number of bytes from the currently written block up to its total size by invoking - * {@link android.service.persistentdata.IPersistentDataBlockService}.read(byte[] data) + * Clients can read any number of bytes from the currently written block up to its total size by + * invoking {@link IPersistentDataBlockService#read} */ public class PersistentDataBlockService extends SystemService { private static final String TAG = PersistentDataBlockService.class.getSimpleName(); @@ -78,6 +77,7 @@ public class PersistentDataBlockService extends SystemService { private int mAllowedUid = -1; private long mBlockDeviceSize; + private boolean mIsWritable = true; public PersistentDataBlockService(Context context) { super(context); @@ -349,6 +349,11 @@ public class PersistentDataBlockService extends SystemService { headerAndData.put(data); synchronized (mLock) { + if (!mIsWritable) { + IoUtils.closeQuietly(outputStream); + return -1; + } + try { byte[] checksum = new byte[DIGEST_SIZE_BYTES]; outputStream.write(checksum, 0, DIGEST_SIZE_BYTES); @@ -423,6 +428,9 @@ public class PersistentDataBlockService extends SystemService { if (ret < 0) { Slog.e(TAG, "failed to wipe persistent partition"); + } else { + mIsWritable = false; + Slog.i(TAG, "persistent partition now wiped and unwritable"); } } } -- cgit v1.1