hostsidetests/securitybulletin/securityPatch/CVE-2018-9499/poc.cpp - platform/cts - Git at Google

 /*
  * Copyright (C) 2021 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 #include <media/IDrm.h>
 #include "../includes/common.h"

 #define private public
 #include <media/ICrypto.h>

 using namespace android;

 const uint16_t kDataSize = 4096;
 const void *vulnPtr = nullptr;
 bool isVectorCleared = false;
 bool isTrackingEnabled = false;

 void VectorImpl::clear() {
     if (isTrackingEnabled && (this == vulnPtr)) {
         isVectorCleared = true;
     }
 }

 class PocBnCrypto : public BnCrypto {
    public:
     status_t initCheck() const { return OK; }

     bool isCryptoSchemeSupported(const uint8_t *) { return true; }

     status_t createPlugin(const uint8_t *, const void *, size_t) { return OK; }

     status_t destroyPlugin() { return OK; }

     bool requiresSecureDecoderComponent(const char *) const { return true; }

     void notifyResolution(uint32_t, uint32_t) {}

     status_t setMediaDrmSession(const Vector<uint8_t> &) { return OK; }

     ssize_t decrypt(const uint8_t *, const uint8_t *, CryptoPlugin::Mode,
                     const CryptoPlugin::Pattern &, const SourceBuffer &, size_t,
                     const CryptoPlugin::SubSample *, size_t, const DestinationBuffer &, AString *) {
         return 0;
     }

     int32_t setHeap(const sp<IMemoryHeap> &) { return 0; }

     void unsetHeap(int32_t) {}
 };

 int main() {
     PocBnCrypto obj;
     Parcel data, reply;
     status_t status = data.writeInterfaceToken(String16("android.hardware.ICrypto"));
     FAIL_CHECK(status == OK);
     data.writeInt32(kDataSize);
     Vector<uint8_t> sessionId;
     isTrackingEnabled = true;
     vulnPtr = &sessionId;
     obj.readVector(data, sessionId);
     isTrackingEnabled = false;
     return (!isVectorCleared) ? EXIT_VULNERABLE : EXIT_SUCCESS;
 }
	/*
	* Copyright (C) 2021 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	#include <media/IDrm.h>
	#include "../includes/common.h"

	#define private public
	#include <media/ICrypto.h>

	using namespace android;

	const uint16_t kDataSize = 4096;
	const void *vulnPtr = nullptr;
	bool isVectorCleared = false;
	bool isTrackingEnabled = false;

	void VectorImpl::clear() {
	if (isTrackingEnabled && (this == vulnPtr)) {
	isVectorCleared = true;
	}
	}

	class PocBnCrypto : public BnCrypto {
	public:
	status_t initCheck() const { return OK; }

	bool isCryptoSchemeSupported(const uint8_t *) { return true; }

	status_t createPlugin(const uint8_t , const void , size_t) { return OK; }

	status_t destroyPlugin() { return OK; }

	bool requiresSecureDecoderComponent(const char *) const { return true; }

	void notifyResolution(uint32_t, uint32_t) {}

	status_t setMediaDrmSession(const Vector<uint8_t> &) { return OK; }

	ssize_t decrypt(const uint8_t , const uint8_t , CryptoPlugin::Mode,
	const CryptoPlugin::Pattern &, const SourceBuffer &, size_t,
	const CryptoPlugin::SubSample , size_t, const DestinationBuffer &, AString ) {
	return 0;
	}

	int32_t setHeap(const sp<IMemoryHeap> &) { return 0; }

	void unsetHeap(int32_t) {}
	};

	int main() {
	PocBnCrypto obj;
	Parcel data, reply;
	status_t status = data.writeInterfaceToken(String16("android.hardware.ICrypto"));
	FAIL_CHECK(status == OK);
	data.writeInt32(kDataSize);
	Vector<uint8_t> sessionId;
	isTrackingEnabled = true;
	vulnPtr = &sessionId;
	obj.readVector(data, sessionId);
	isTrackingEnabled = false;
	return (!isVectorCleared) ? EXIT_VULNERABLE : EXIT_SUCCESS;
	}