summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
author Ellen Arteca <emarteca@google.com> 2024-04-23 23:13:05 +0000
committer Ellen Arteca <emarteca@google.com> 2024-04-24 23:47:05 +0000
commit562ea6037ef28ecf7ceae78d22b132aff4f94dfc (patch)
tree71315bdd0029a04f3018f9302244c6f5801a332d
parent548ee3851e394f9eeac1f105904cba9f2a6f2d10 (diff)
Mitigate LSKF leaks in RecoverableKeyStoreManager
This CL clears a local variable `byte[]` storing a copy of the LSKF, to avoid it being present in a RAMdump. Bug: 320392352 Test: build Change-Id: I3781ad8c0a15b7761820a21413cb870e01794c37
Diffstat
-rw-r--r--services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java3
1 files changed, 2 insertions, 1 deletions
diff --git a/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java b/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java
index e5807e84a70e..54303c01890a 100644
--- a/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java
+++ b/services/core/java/com/android/server/locksettings/recoverablekeystore/RecoverableKeyStoreManager.java
@@ -1082,7 +1082,8 @@ public class RecoverableKeyStoreManager {
int keyguardCredentialsType = lockPatternUtilsToKeyguardType(savedCredentialType);
try (LockscreenCredential credential =
createLockscreenCredential(keyguardCredentialsType, decryptedCredentials)) {
- // TODO(b/254335492): remove decryptedCredentials
+ Arrays.fill(decryptedCredentials, (byte) 0);
+ decryptedCredentials = null;
VerifyCredentialResponse verifyResponse =
lockSettingsService.verifyCredential(credential, userId, 0);
return handleVerifyCredentialResponse(verifyResponse, userId);
generated by cgit v1.2.3-59-g8ed1b (git 2.39.0) at 2025-10-30 01:05:19 +0000