hostsidetests/securitybulletin/securityPatch/CVE-2017-0670/poc.c - platform/cts - Git at Google

 /**
  * Copyright (C) 2020 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
  #include <stdlib.h>
  #include "../includes/common.h"

  //This PoC is only for 32-bit builds
 #if _32_BIT
 #include <unistd.h>
 #include <string.h>
 #include <dlfcn.h>

 #define MAX_STRLEN 256
 #define LOOP_COUNT 10
 #define LIB_NAME "/system/lib/libandroid.so"

 int runDlopenDlcloseLibraryLoop(char *libName, unsigned char count) {
     while (count) {
         void *lib_handle = dlopen(libName, RTLD_NOW);
         if (!lib_handle) {
             return EXIT_FAILURE;
         }
         if (dlclose(lib_handle)) {
             return EXIT_FAILURE;
         }
         count--;
     }
     return EXIT_SUCCESS;
 }
 int getMemoryUsage(unsigned long *memUsage) {
     char cmd[MAX_STRLEN];
     char buf[MAX_STRLEN];
     memset(cmd, 0, MAX_STRLEN);
     memset(buf, 0, MAX_STRLEN);
     sprintf(cmd, "cat /proc/%d/maps | grep anon:linker_alloc]", getpid());
     FILE *fpMem = popen(cmd, "r");
     if (!fpMem) {
         return EXIT_FAILURE;
     }
     unsigned long totalMemUsage = 0;
     while (fgets(buf, MAX_STRLEN, fpMem) != NULL) {
         unsigned long mem1 = 0;
         unsigned long mem2 = 0;
         int numOfItemsRead = sscanf(buf, "%lx-%lx", &mem1, &mem2);
         if (numOfItemsRead < 2) {
             pclose(fpMem);
             return EXIT_FAILURE;
         }
         totalMemUsage += mem2 - mem1;
     }
     pclose(fpMem);
     *memUsage = totalMemUsage;
     return EXIT_SUCCESS;
 }
 #endif /* _32_BIT */

 int main() {

 //This PoC is only for 32-bit builds
 #if _32_BIT
     /* Memory usage is expected to rise during first few dlopen-dlcose pairs  */
     /* due to linker initializations. Hence memory is not tracked during      */
     /* first few dlopen-dlcose pairs.                                         */
     if (runDlopenDlcloseLibraryLoop(LIB_NAME, LOOP_COUNT)) {
         return EXIT_FAILURE;
     }

     /* The linker specific initializations should be complete. Hence Memory  */
     /* usage is tracked from this point onwards. Further dlopen-dlcose pairs */
     /* are not expected to increase memory usage                             */
     unsigned long memUsageBefore = 0;
     if (getMemoryUsage(&memUsageBefore)) {
         return EXIT_FAILURE;
     }

     if (runDlopenDlcloseLibraryLoop(LIB_NAME, LOOP_COUNT)) {
         return EXIT_FAILURE;
     }

     unsigned long memUsageAfter = 0;
     if (getMemoryUsage(&memUsageAfter)) {
         return EXIT_FAILURE;
     }

     if (memUsageBefore != memUsageAfter) {
         return EXIT_VULNERABLE;
     }
 #endif /* _32_BIT */

     return EXIT_SUCCESS;
 }
	/**
	* Copyright (C) 2020 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	#include <stdlib.h>
	#include "../includes/common.h"

	//This PoC is only for 32-bit builds
	#if _32_BIT
	#include <unistd.h>
	#include <string.h>
	#include <dlfcn.h>

	#define MAX_STRLEN 256
	#define LOOP_COUNT 10
	#define LIB_NAME "/system/lib/libandroid.so"

	int runDlopenDlcloseLibraryLoop(char *libName, unsigned char count) {
	while (count) {
	void *lib_handle = dlopen(libName, RTLD_NOW);
	if (!lib_handle) {
	return EXIT_FAILURE;
	}
	if (dlclose(lib_handle)) {
	return EXIT_FAILURE;
	}
	count--;
	}
	return EXIT_SUCCESS;
	}
	int getMemoryUsage(unsigned long *memUsage) {
	char cmd[MAX_STRLEN];
	char buf[MAX_STRLEN];
	memset(cmd, 0, MAX_STRLEN);
	memset(buf, 0, MAX_STRLEN);
	sprintf(cmd, "cat /proc/%d/maps \| grep anon:linker_alloc]", getpid());
	FILE *fpMem = popen(cmd, "r");
	if (!fpMem) {
	return EXIT_FAILURE;
	}
	unsigned long totalMemUsage = 0;
	while (fgets(buf, MAX_STRLEN, fpMem) != NULL) {
	unsigned long mem1 = 0;
	unsigned long mem2 = 0;
	int numOfItemsRead = sscanf(buf, "%lx-%lx", &mem1, &mem2);
	if (numOfItemsRead < 2) {
	pclose(fpMem);
	return EXIT_FAILURE;
	}
	totalMemUsage += mem2 - mem1;
	}
	pclose(fpMem);
	*memUsage = totalMemUsage;
	return EXIT_SUCCESS;
	}
	#endif /* _32_BIT */

	int main() {

	//This PoC is only for 32-bit builds
	#if _32_BIT
	/* Memory usage is expected to rise during first few dlopen-dlcose pairs */
	/* due to linker initializations. Hence memory is not tracked during */
	/* first few dlopen-dlcose pairs. */
	if (runDlopenDlcloseLibraryLoop(LIB_NAME, LOOP_COUNT)) {
	return EXIT_FAILURE;
	}

	/* The linker specific initializations should be complete. Hence Memory */
	/* usage is tracked from this point onwards. Further dlopen-dlcose pairs */
	/* are not expected to increase memory usage */
	unsigned long memUsageBefore = 0;
	if (getMemoryUsage(&memUsageBefore)) {
	return EXIT_FAILURE;
	}

	if (runDlopenDlcloseLibraryLoop(LIB_NAME, LOOP_COUNT)) {
	return EXIT_FAILURE;
	}

	unsigned long memUsageAfter = 0;
	if (getMemoryUsage(&memUsageAfter)) {
	return EXIT_FAILURE;
	}

	if (memUsageBefore != memUsageAfter) {
	return EXIT_VULNERABLE;
	}
	#endif /* _32_BIT */

	return EXIT_SUCCESS;
	}