USB: Solving path traversal issue in USB HAL AppendNodeMapper
Currently the string comes from the HIDL interface and
attackers can access this HAL via HWBinder once escalated
they can cause this path traversal by sending any string
such as "../../../data/local/temp". In this patch, a condition
is added that looks specifically for '/' & '..' and returns a
empty string if it is found otherwise string will be append to
"/sys/class/typec/" to map the portName we receive from HIDL interface.
Change-Id: Id9c6cd0fc2360da5ffe31dbecc2bf4978b085b58
diff --git a/hal/Usb.cpp b/hal/Usb.cpp
index 8a4afae..1cf2a5a 100644
--- a/hal/Usb.cpp
+++ b/hal/Usb.cpp
@@ -107,17 +107,23 @@
std::string appendRoleNodeHelper(const std::string &portName,
PortRoleType type) {
- std::string node("/sys/class/typec/" + portName);
- switch (type) {
- case PortRoleType::DATA_ROLE:
- return node + "/data_role";
- case PortRoleType::POWER_ROLE:
- return node + "/power_role";
- case PortRoleType::MODE:
- return node + "/port_type";
- default:
- return "";
+ if ((portName == "..") || (portName.find('/') != std::string::npos)) {
+ ALOGE("Fatal: invalid portName");
+ return "";
+ }
+
+ std::string node("/sys/class/typec/" + portName);
+
+ switch (type) {
+ case PortRoleType::DATA_ROLE:
+ return node + "/data_role";
+ case PortRoleType::POWER_ROLE:
+ return node + "/power_role";
+ case PortRoleType::MODE:
+ return node + "/port_type";
+ default:
+ return "";
}
}