| /* |
| * Copyright (C) 2021 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at: |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| * |
| */ |
| |
| #include <unistd.h> |
| #include "phNxpExtns_MifareStd.h" |
| #include "../includes/common.h" |
| #include "../includes/memutils.h" |
| |
| char enable_selective_overload = ENABLE_NONE; |
| char *vulnPtr = nullptr; |
| bool testInProgress = false; |
| struct sigaction new_action, old_action; |
| void sigsegv_handler(int signum, siginfo_t *info, void* context) { |
| if (testInProgress && info->si_signo == SIGSEGV) { |
| size_t pageSize = getpagesize(); |
| if (pageSize) { |
| char *vulnPtrGuardPage = (char *) ((size_t) vulnPtr & PAGE_MASK) - pageSize; |
| char *faultPage = (char *) ((size_t) info->si_addr & PAGE_MASK); |
| if (faultPage == vulnPtrGuardPage) { |
| (*old_action.sa_sigaction)(signum, info, context); |
| return; |
| } |
| } |
| } |
| _exit(EXIT_FAILURE); |
| } |
| uint8_t NFC_GetNCIVersion() { |
| return NCI_VERSION_2_0; |
| } |
| |
| int main() { |
| sigemptyset(&new_action.sa_mask); |
| new_action.sa_flags = SA_SIGINFO; |
| new_action.sa_sigaction = sigsegv_handler; |
| sigaction(SIGSEGV, &new_action, &old_action); |
| enable_selective_overload = ENABLE_MEMALIGN_CHECK; |
| uint8_t *buffer = (uint8_t*) memalign(16, 16 * sizeof(uint8_t)); |
| enable_selective_overload = ENABLE_FREE_CHECK | ENABLE_REALLOC_CHECK; |
| FAIL_CHECK(buffer); |
| |
| vulnPtr = (char *) buffer; |
| uint8_t bufferSize = 1; |
| buffer[0] = 0x10; |
| phNxpExtns_MfcModuleInit(); |
| testInProgress = true; |
| Mfc_RecvPacket(buffer, bufferSize); |
| testInProgress = false; |
| free(buffer); |
| return EXIT_SUCCESS; |
| } |