Add missing signedness check in Keymaster buffer
Add a check in the Serializable Buffer implementation of Keymaster for
the signedness of the input parameter to advance_read and advance_write.
Both methods take a distance of type int, and add it to the buffer
position regardless of whether it's positive or negative.
This leads to violation of buffer state invariants (specifically
read_position_) and (ultimately) to reading from an invalid
memory region.
In this change:
* advance_read is removed as it's not used.
* advance_write is moved out of the header file.
* Guards against negative distance values and wrapping are added.
* A method for validating buffer state is added and used in reserve()
Ignore-AOSP-First: Security fix
Bug: 173567719
Test: Run libkeymaster_fuzz_buffer on clusterfuzz-testcase-minimized-libkeymaster_fuzz_buffer-5372592199434240
Merged-In: I15330a2f23c3461e23daad450af33e3f92e6730c
Change-Id: I15330a2f23c3461e23daad450af33e3f92e6730c
(cherry picked from commit 48edbcdb981c980b27f4826563b4ca46754df885)
3 files changed