fairchild88 / smali

Automatically exported from code.google.com/p/smali
0 stars 0 forks source link

[dexlib2] Wrong Offset in SHA-1 Signature Calculation #193

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
dexlib2 SHA-1 update signature function is using a wrong offset to seek the 
input DEX stream.

Read starts from HEADER_SIZE_OFFSET which is defined at 36 bytes.

The correct value for the HEADER_SIZE_OFFSET is 32 bytes (u1 magic[8] + u4 
checksum + u1 signature[20]).

Issue has been passed unnoticed since dalvik has SHA-1 validation disabled by 
default (kVerifySignature is baked to false) and dexdump does not validate the 
header value.

dexlib2/src/main/java/org/jf/dexlib2/writer/DexWriter.java:updateSignature()
 238         byte[] buffer = new byte[4 * 1024];
 239         InputStream input = dataStore.readAt(HeaderItem.HEADER_SIZE_OFFSET);
 240         int bytesRead = input.read(buffer);

./dexlib2/src/main/java/org/jf/dexlib2/dexbacked/raw/HeaderItem.java:57:    
public static final int HEADER_SIZE_OFFSET = 36;

Issue affects all builds that are using dexlib2.

Original issue reported on code.google.com by Bechtsou...@gmail.com on 8 Nov 2013 at 9:14

GoogleCodeExporter commented 9 years ago
Good catch! Thanks for the great bug report :)

Original comment by jesusfreke@jesusfreke.com on 8 Nov 2013 at 11:10

GoogleCodeExporter commented 9 years ago
Fixed: 
https://code.google.com/p/smali/source/detail?r=b49126325f439c27152e61093ccd085c
2cbe3f94

Note: The value of HEADER_SIZE_OFFSET is actually correct - that's the correct 
offset to the header_size field. However, the hash should start at the 
file_size field, which is at offset 32.

Thanks again!

Original comment by jesusfreke@jesusfreke.com on 11 Nov 2013 at 6:13