Fix for potential oob write and missing boundary check am: 3aa73c4667 am: fcb341cd5e am: a44276bbf9 am: d33c74f211
Original change: https://android-review.googlesource.com/c/platform/hardware/nxp/secure_element/+/2628735
Change-Id: I90841b185df36cf4c8469a5512d59ae17a03b8c2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/pn8x/1.0/SecureElement.cpp b/pn8x/1.0/SecureElement.cpp
index 039d872..b2159a6 100644
--- a/pn8x/1.0/SecureElement.cpp
+++ b/pn8x/1.0/SecureElement.cpp
@@ -1,6 +1,6 @@
/******************************************************************************
*
- * Copyright 2018 NXP
+ * Copyright 2018,2023 NXP
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -125,6 +125,11 @@
LogicalChannelResponse resApduBuff;
resApduBuff.channelNumber = 0xff;
memset(&resApduBuff, 0x00, sizeof(resApduBuff));
+ if (aid.size() > MAX_AID_LENGTH) {
+ ALOGE("%s: AID out of range!!!", __func__);
+ _hidl_cb(resApduBuff, SecureElementStatus::FAILED);
+ return Void();
+ }
if (!isSeInitialized()) {
ESESTATUS status = seHalInit();
@@ -254,6 +259,11 @@
uint8_t p2,
openBasicChannel_cb _hidl_cb) {
hidl_vec<uint8_t> result;
+ if (aid.size() > MAX_AID_LENGTH) {
+ ALOGE("%s: AID out of range!!!", __func__);
+ _hidl_cb(result, SecureElementStatus::FAILED);
+ return Void();
+ }
if (!isSeInitialized()) {
ESESTATUS status = seHalInit();
diff --git a/pn8x/1.0/SecureElement.h b/pn8x/1.0/SecureElement.h
index 6c314e4..1a72169 100755
--- a/pn8x/1.0/SecureElement.h
+++ b/pn8x/1.0/SecureElement.h
@@ -1,6 +1,6 @@
/******************************************************************************
*
- * Copyright 2018 NXP
+ * Copyright 2018,2023 NXP
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -47,6 +47,9 @@
#ifndef DEFAULT_BASIC_CHANNEL
#define DEFAULT_BASIC_CHANNEL 0x00
#endif
+#ifndef MAX_AID_LENGTH
+#define MAX_AID_LENGTH 0x10
+#endif
struct SecureElement : public ISecureElement, public hidl_death_recipient {
SecureElement();
diff --git a/pn8x/1.1/SecureElement.cpp b/pn8x/1.1/SecureElement.cpp
index e4a05df..c960568 100644
--- a/pn8x/1.1/SecureElement.cpp
+++ b/pn8x/1.1/SecureElement.cpp
@@ -1,6 +1,6 @@
/******************************************************************************
*
- * Copyright 2018 NXP
+ * Copyright 2018,2023 NXP
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -167,6 +167,11 @@
LogicalChannelResponse resApduBuff;
resApduBuff.channelNumber = 0xff;
memset(&resApduBuff, 0x00, sizeof(resApduBuff));
+ if (aid.size() > MAX_AID_LENGTH) {
+ ALOGE("%s: AID out of range!!!", __func__);
+ _hidl_cb(resApduBuff, SecureElementStatus::FAILED);
+ return Void();
+ }
if (!isSeInitialized()) {
ESESTATUS status = seHalInit();
@@ -296,6 +301,11 @@
uint8_t p2,
openBasicChannel_cb _hidl_cb) {
hidl_vec<uint8_t> result;
+ if (aid.size() > MAX_AID_LENGTH) {
+ ALOGE("%s: AID out of range!!!", __func__);
+ _hidl_cb(result, SecureElementStatus::FAILED);
+ return Void();
+ }
if (!isSeInitialized()) {
ESESTATUS status = seHalInit();
diff --git a/pn8x/1.1/SecureElement.h b/pn8x/1.1/SecureElement.h
index d36b03f..4c7d278 100755
--- a/pn8x/1.1/SecureElement.h
+++ b/pn8x/1.1/SecureElement.h
@@ -1,6 +1,6 @@
/******************************************************************************
*
- * Copyright 2018 NXP
+ * Copyright 2018,2023 NXP
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -50,6 +50,9 @@
#ifndef DEFAULT_BASIC_CHANNEL
#define DEFAULT_BASIC_CHANNEL 0x00
#endif
+#ifndef MAX_AID_LENGTH
+#define MAX_AID_LENGTH 0x10
+#endif
struct SecureElement : public V1_1::ISecureElement,
public hidl_death_recipient {
diff --git a/snxxx/1.0/SecureElement.cpp b/snxxx/1.0/SecureElement.cpp
index 18c5176..021f783 100755
--- a/snxxx/1.0/SecureElement.cpp
+++ b/snxxx/1.0/SecureElement.cpp
@@ -1,6 +1,6 @@
/******************************************************************************
*
- * Copyright 2018-2021 NXP
+ * Copyright 2018-2021,2023 NXP
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -226,6 +226,11 @@
LogicalChannelResponse resApduBuff;
resApduBuff.channelNumber = 0xff;
memset(&resApduBuff, 0x00, sizeof(resApduBuff));
+ if (aid.size() > MAX_AID_LENGTH) {
+ LOG(ERROR) << "%s: AID out of range!!!" << __func__;
+ _hidl_cb(resApduBuff, SecureElementStatus::FAILED);
+ return Void();
+ }
LOG(INFO) << "Acquired the lock from SPI openLogicalChannel";
@@ -397,10 +402,16 @@
Return<void> SecureElement::openBasicChannel(const hidl_vec<uint8_t>& aid,
uint8_t p2,
openBasicChannel_cb _hidl_cb) {
+ hidl_vec<uint8_t> result;
+ if (aid.size() > MAX_AID_LENGTH) {
+ LOG(ERROR) << "%s: AID out of range!!!" << __func__;
+ _hidl_cb(result, SecureElementStatus::FAILED);
+ return Void();
+ }
+
ESESTATUS status = ESESTATUS_SUCCESS;
phNxpEse_7816_cpdu_t cpdu;
phNxpEse_7816_rpdu_t rpdu;
- hidl_vec<uint8_t> result;
hidl_vec<uint8_t> ls_aid = {0xA0, 0x00, 0x00, 0x03, 0x96, 0x41, 0x4C,
0x41, 0x01, 0x43, 0x4F, 0x52, 0x01};
diff --git a/snxxx/1.0/SecureElement.h b/snxxx/1.0/SecureElement.h
index 44d7e7b..1baf083 100644
--- a/snxxx/1.0/SecureElement.h
+++ b/snxxx/1.0/SecureElement.h
@@ -1,6 +1,6 @@
/******************************************************************************
*
- * Copyright 2018 NXP
+ * Copyright 2018,2023 NXP
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -72,6 +72,9 @@
#ifndef DEFAULT_BASIC_CHANNEL
#define DEFAULT_BASIC_CHANNEL 0x00
#endif
+#ifndef MAX_AID_LENGTH
+#define MAX_AID_LENGTH 0x10
+#endif
struct SecureElement : public ISecureElement, public hidl_death_recipient {
SecureElement();
diff --git a/snxxx/1.1/SecureElement.cpp b/snxxx/1.1/SecureElement.cpp
index dafde01..e261910 100755
--- a/snxxx/1.1/SecureElement.cpp
+++ b/snxxx/1.1/SecureElement.cpp
@@ -1,6 +1,6 @@
/******************************************************************************
*
- * Copyright 2018-2022 NXP
+ * Copyright 2018-2023 NXP
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -320,6 +320,11 @@
LogicalChannelResponse resApduBuff;
resApduBuff.channelNumber = 0xff;
memset(&resApduBuff, 0x00, sizeof(resApduBuff));
+ if (aid.size() > MAX_AID_LENGTH) {
+ LOG(ERROR) << "%s: AID out of range!!!" << __func__;
+ _hidl_cb(resApduBuff, SecureElementStatus::FAILED);
+ return Void();
+ }
LOG(INFO) << "Acquired the lock from SPI openLogicalChannel";
@@ -483,11 +488,16 @@
Return<void> SecureElement::openBasicChannel(const hidl_vec<uint8_t>& aid,
uint8_t p2,
openBasicChannel_cb _hidl_cb) {
+ hidl_vec<uint8_t> result;
+ if (aid.size() > MAX_AID_LENGTH) {
+ LOG(ERROR) << "%s: AID out of range!!!" << __func__;
+ _hidl_cb(result, SecureElementStatus::FAILED);
+ return Void();
+ }
AutoMutex guard(seHalLock);
ESESTATUS status = ESESTATUS_SUCCESS;
phNxpEse_7816_cpdu_t cpdu;
phNxpEse_7816_rpdu_t rpdu;
- hidl_vec<uint8_t> result;
hidl_vec<uint8_t> ls_aid = {0xA0, 0x00, 0x00, 0x03, 0x96, 0x41, 0x4C,
0x41, 0x01, 0x43, 0x4F, 0x52, 0x01};
diff --git a/snxxx/1.1/SecureElement.h b/snxxx/1.1/SecureElement.h
index 4ed0b8f..1884f67 100755
--- a/snxxx/1.1/SecureElement.h
+++ b/snxxx/1.1/SecureElement.h
@@ -1,6 +1,6 @@
/******************************************************************************
*
- * Copyright 2018-2019 NXP
+ * Copyright 2018-2019,2023 NXP
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -77,6 +77,9 @@
#ifndef DEFAULT_BASIC_CHANNEL
#define DEFAULT_BASIC_CHANNEL 0x00
#endif
+#ifndef MAX_AID_LENGTH
+#define MAX_AID_LENGTH 0x10
+#endif
struct SecureElement : public V1_1::ISecureElement,
public hidl_death_recipient {
diff --git a/snxxx/1.2/SecureElement.cpp b/snxxx/1.2/SecureElement.cpp
index 42f2cd2..35b84eb 100755
--- a/snxxx/1.2/SecureElement.cpp
+++ b/snxxx/1.2/SecureElement.cpp
@@ -1,6 +1,6 @@
/******************************************************************************
*
- * Copyright 2018-2022 NXP
+ * Copyright 2018-2023 NXP
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -398,6 +398,11 @@
LogicalChannelResponse resApduBuff;
resApduBuff.channelNumber = 0xff;
memset(&resApduBuff, 0x00, sizeof(resApduBuff));
+ if (aid.size() > MAX_AID_LENGTH) {
+ LOG(ERROR) << "%s: AID out of range!!!" << __func__;
+ _hidl_cb(resApduBuff, SecureElementStatus::FAILED);
+ return Void();
+ }
/*
* Basic channel & reserved channel if any is removed
@@ -597,11 +602,16 @@
Return<void> SecureElement::openBasicChannel(const hidl_vec<uint8_t>& aid,
uint8_t p2,
openBasicChannel_cb _hidl_cb) {
+ hidl_vec<uint8_t> result;
+ if (aid.size() > MAX_AID_LENGTH) {
+ LOG(ERROR) << "%s: AID out of range!!!" << __func__;
+ _hidl_cb(result, SecureElementStatus::FAILED);
+ return Void();
+ }
AutoMutex guard(seHalLock);
ESESTATUS status = ESESTATUS_SUCCESS;
phNxpEse_7816_cpdu_t cpdu;
phNxpEse_7816_rpdu_t rpdu;
- hidl_vec<uint8_t> result;
hidl_vec<uint8_t> ls_aid = {0xA0, 0x00, 0x00, 0x03, 0x96, 0x41, 0x4C,
0x41, 0x01, 0x43, 0x4F, 0x52, 0x01};
diff --git a/snxxx/1.2/SecureElement.h b/snxxx/1.2/SecureElement.h
index 0f503c0..198a039 100755
--- a/snxxx/1.2/SecureElement.h
+++ b/snxxx/1.2/SecureElement.h
@@ -1,6 +1,6 @@
/******************************************************************************
*
- * Copyright 2020,2022 NXP
+ * Copyright 2020,2022-2023 NXP
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -80,6 +80,9 @@
#ifndef DEFAULT_BASIC_CHANNEL
#define DEFAULT_BASIC_CHANNEL 0x00
#endif
+#ifndef MAX_AID_LENGTH
+#define MAX_AID_LENGTH 0x10
+#endif
struct SecureElement : public V1_2::ISecureElement,
public hidl_death_recipient {
diff --git a/snxxx/aidl/SecureElement.cpp b/snxxx/aidl/SecureElement.cpp
index 3790d04..7a7a5aa 100644
--- a/snxxx/aidl/SecureElement.cpp
+++ b/snxxx/aidl/SecureElement.cpp
@@ -307,6 +307,11 @@
LogicalChannelResponse resApduBuff;
resApduBuff.channelNumber = 0xff;
memset(&resApduBuff, 0x00, sizeof(resApduBuff));
+ if (aid.size() > MAX_AID_LENGTH) {
+ LOG(ERROR) << "%s: AID out of range!!!" << __func__;
+ *_aidl_return = resApduBuff;
+ return ScopedAStatus::fromServiceSpecificError(FAILED);
+ }
/*
* Basic channel & reserved channel if any is removed
@@ -506,11 +511,16 @@
ScopedAStatus SecureElement::openBasicChannel(
const std::vector<uint8_t>& aid, int8_t p2,
std::vector<uint8_t>* _aidl_return) {
+ std::vector<uint8_t> result;
+ if (aid.size() > MAX_AID_LENGTH) {
+ LOG(ERROR) << "%s: AID out of range!!!" << __func__;
+ *_aidl_return = result;
+ return ScopedAStatus::fromServiceSpecificError(FAILED);
+ }
AutoMutex guard(seHalLock);
ESESTATUS status = ESESTATUS_SUCCESS;
phNxpEse_7816_cpdu_t cpdu;
phNxpEse_7816_rpdu_t rpdu;
- std::vector<uint8_t> result;
if (mOpenedChannels[0]) {
LOG(ERROR) << "openBasicChannel failed, channel already in use";
diff --git a/snxxx/aidl/SecureElement.h b/snxxx/aidl/SecureElement.h
index 1309db0..98e8901 100644
--- a/snxxx/aidl/SecureElement.h
+++ b/snxxx/aidl/SecureElement.h
@@ -65,6 +65,9 @@
#ifndef DEFAULT_BASIC_CHANNEL
#define DEFAULT_BASIC_CHANNEL 0x00
#endif
+#ifndef MAX_AID_LENGTH
+#define MAX_AID_LENGTH 0x10
+#endif
struct SecureElement : public BnSecureElement {
public:
