hostsidetests/securitybulletin/securityPatch/CVE-2020-0007/poc.cpp - platform/cts - Git at Google

 /**
  * Copyright (C) 2020 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 #include "../includes/common.h"
 #include "../includes/memutils_track.h"
 #include "hardware/sensors.h"
 #include "sensor/Sensor.h"
 #include "stdlib.h"

 size_t vulnerableSize = 0;

 using namespace android;
 char enable_selective_overload = ENABLE_NONE;

 bool is_tracking_required(size_t size) { return (size == vulnerableSize); }

 static sensor_t getTestSensorT() {
   sensor_t hwSensor = {};
   hwSensor.name = "Test ";
   hwSensor.vendor = hwSensor.name;
   hwSensor.version = 1;
   hwSensor.handle = 2;
   hwSensor.type = SENSOR_TYPE_ACCELEROMETER;
   hwSensor.maxRange = 10.f;
   hwSensor.resolution = 1.f;
   hwSensor.power = 5.f;
   hwSensor.minDelay = 1000;
   hwSensor.fifoReservedEventCount = 50;
   hwSensor.fifoMaxEventCount = 100;
   hwSensor.stringType = SENSOR_STRING_TYPE_ACCELEROMETER;
   hwSensor.requiredPermission = "";
   hwSensor.maxDelay = 5000;
   hwSensor.flags = SENSOR_FLAG_CONTINUOUS_MODE;
   return hwSensor;
 }

 int main() {
   sensor_t hwSensor = getTestSensorT();
   Sensor sensor1(&hwSensor, SENSORS_DEVICE_API_VERSION_1_4);
   vulnerableSize = sensor1.getFlattenedSize();
   enable_selective_overload = ENABLE_MALLOC_CHECK;
   void *buffer = malloc(vulnerableSize);
   if (!buffer) {
     return EXIT_FAILURE;
   }
   enable_selective_overload = ENABLE_NONE;
   sensor1.flatten(buffer, vulnerableSize);
   int status = is_memory_uninitialized();
   free(buffer);
   return status;
 }
	/**
	* Copyright (C) 2020 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	#include "../includes/common.h"
	#include "../includes/memutils_track.h"
	#include "hardware/sensors.h"
	#include "sensor/Sensor.h"
	#include "stdlib.h"

	size_t vulnerableSize = 0;

	using namespace android;
	char enable_selective_overload = ENABLE_NONE;

	bool is_tracking_required(size_t size) { return (size == vulnerableSize); }

	static sensor_t getTestSensorT() {
	sensor_t hwSensor = {};
	hwSensor.name = "Test ";
	hwSensor.vendor = hwSensor.name;
	hwSensor.version = 1;
	hwSensor.handle = 2;
	hwSensor.type = SENSOR_TYPE_ACCELEROMETER;
	hwSensor.maxRange = 10.f;
	hwSensor.resolution = 1.f;
	hwSensor.power = 5.f;
	hwSensor.minDelay = 1000;
	hwSensor.fifoReservedEventCount = 50;
	hwSensor.fifoMaxEventCount = 100;
	hwSensor.stringType = SENSOR_STRING_TYPE_ACCELEROMETER;
	hwSensor.requiredPermission = "";
	hwSensor.maxDelay = 5000;
	hwSensor.flags = SENSOR_FLAG_CONTINUOUS_MODE;
	return hwSensor;
	}

	int main() {
	sensor_t hwSensor = getTestSensorT();
	Sensor sensor1(&hwSensor, SENSORS_DEVICE_API_VERSION_1_4);
	vulnerableSize = sensor1.getFlattenedSize();
	enable_selective_overload = ENABLE_MALLOC_CHECK;
	void *buffer = malloc(vulnerableSize);
	if (!buffer) {
	return EXIT_FAILURE;
	}
	enable_selective_overload = ENABLE_NONE;
	sensor1.flatten(buffer, vulnerableSize);
	int status = is_memory_uninitialized();
	free(buffer);
	return status;
	}