hostsidetests/securitybulletin/securityPatch/CVE-2020-0421/poc.cpp - platform/cts - Git at Google

 /**
  * Copyright (C) 2020 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 #include <dlfcn.h>

 #include "utils/String8.h"

 #define VULNERABLE_STRING "Q0bRTMaNUg"

 typedef int (*vsnprintf_t)(char *const, size_t, const char *, va_list);

 static vsnprintf_t fptr = nullptr;

 // For CVE-2020-0421 to be reproducible, the vsnprintf has to return a negative
 // value. This negative value is added to size_t resulting in runtime error.
 // Getting vsnprintf to return -1 is tricky. The issue produced in fuzzer was
 // due to the call str1.appendFormat("%S", "string"). Using wide char string
 // format specifier for regular string is not a reliable way to produce the
 // issue. As from N1570, "If any argument is not the correct type for the
 // corresponding conversion specification or If there are insufficient arguments
 // for the format, the printf behavior is undefined." The below intercepting
 // function offers a simple way to return negative value.
 int vsnprintf(char *const dest, size_t size, const char *format, va_list ap) {
   if (!strcmp(format, VULNERABLE_STRING)) {
     return -1;
   }
   return (*fptr)(dest, size, format, ap);
 }

 int main(void) {
   fptr = reinterpret_cast<vsnprintf_t>(dlsym(RTLD_NEXT, "vsnprintf"));
   if (!fptr) {
     return EXIT_FAILURE;
   }
   android::String8 str1{VULNERABLE_STRING};
   str1.appendFormat(VULNERABLE_STRING);
   return EXIT_SUCCESS;
 }
	/**
	* Copyright (C) 2020 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	#include <dlfcn.h>

	#include "utils/String8.h"

	#define VULNERABLE_STRING "Q0bRTMaNUg"

	typedef int (vsnprintf_t)(char const, size_t, const char *, va_list);

	static vsnprintf_t fptr = nullptr;

	// For CVE-2020-0421 to be reproducible, the vsnprintf has to return a negative
	// value. This negative value is added to size_t resulting in runtime error.
	// Getting vsnprintf to return -1 is tricky. The issue produced in fuzzer was
	// due to the call str1.appendFormat("%S", "string"). Using wide char string
	// format specifier for regular string is not a reliable way to produce the
	// issue. As from N1570, "If any argument is not the correct type for the
	// corresponding conversion specification or If there are insufficient arguments
	// for the format, the printf behavior is undefined." The below intercepting
	// function offers a simple way to return negative value.
	int vsnprintf(char const dest, size_t size, const char format, va_list ap) {
	if (!strcmp(format, VULNERABLE_STRING)) {
	return -1;
	}
	return (*fptr)(dest, size, format, ap);
	}

	int main(void) {
	fptr = reinterpret_cast<vsnprintf_t>(dlsym(RTLD_NEXT, "vsnprintf"));
	if (!fptr) {
	return EXIT_FAILURE;
	}
	android::String8 str1{VULNERABLE_STRING};
	str1.appendFormat(VULNERABLE_STRING);
	return EXIT_SUCCESS;
	}