diff options
author | TreeHugger Robot <treehugger-gerrit@google.com> | 2021-10-08 16:33:13 +0000 |
---|---|---|
committer | Android (Google) Code Review <android-gerrit@google.com> | 2021-10-08 16:33:13 +0000 |
commit | c89def1461226ab991986e1a645c609a389db5a9 (patch) | |
tree | 89ef15e1a5452b6b6a1423a6fc5e1e3d3b7077fd | |
parent | 540c699d631fae02b6b93672cbe7374c65a59760 (diff) | |
parent | f2a2bf01d33f64f3f18869a986a92491950eae35 (diff) | |
download | cts-c89def1461226ab991986e1a645c609a389db5a9.tar.gz |
Merge "[RESTRICT AUTOMERGE] Updated CTS test for Android Security b/120506143" into pi-dev
-rw-r--r-- | hostsidetests/securitybulletin/securityPatch/CVE-2019-2022/Android.mk | 3 | ||||
-rw-r--r-- | hostsidetests/securitybulletin/securityPatch/CVE-2019-2022/poc.cpp | 62 |
2 files changed, 49 insertions, 16 deletions
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2022/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2022/Android.mk index 83c4401800f..6a3ddcba41b 100644 --- a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2022/Android.mk +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2022/Android.mk @@ -33,5 +33,6 @@ LOCAL_COMPATIBILITY_SUITE := cts sts vts LOCAL_CTS_TEST_PACKAGE := android.security.cts LOCAL_ARM_MODE := arm -LOCAL_CFLAGS := -Wall -Werror -DCHECK_OVERFLOW +LOCAL_CFLAGS := -Wall -Werror +LOCAL_CFLAGS += -DCHECK_OVERFLOW -DENABLE_SELECTIVE_OVERLOADING include $(BUILD_CTS_EXECUTABLE) diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2022/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2022/poc.cpp index f71cafd1d4a..2eddb454c68 100644 --- a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2022/poc.cpp +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2022/poc.cpp @@ -20,6 +20,30 @@ #include <nfc_api.h> #include <tags_defs.h> #include <rw_int.h> +#include <unistd.h> +#include "../includes/common.h" +#include "../includes/memutils.h" + +char enable_selective_overload = ENABLE_NONE; +char *vulnPtr = nullptr; + +bool testInProgress = false; +struct sigaction new_action, old_action; +void sigsegv_handler(int signum, siginfo_t *info, void* context) { + if (testInProgress && info->si_signo == SIGSEGV) { + size_t pageSize = getpagesize(); + if (pageSize) { + char *vulnPtrGuardPage = (char *) ((size_t) vulnPtr & PAGE_MASK) + pageSize; + char *faultPage = (char *) ((size_t) info->si_addr & PAGE_MASK); + if (faultPage == vulnPtrGuardPage) { + (*old_action.sa_sigaction)(signum, info, context); + return; + } + } + } + _exit(EXIT_FAILURE); +} + #define T3T_MSG_FELICALITE_MC_OFFSET 0x01 extern tRW_CB rw_cb; @@ -30,7 +54,7 @@ tNFC_STATUS rw_t3t_select(uint8_t peer_nfcid2[NCI_RF_F_UID_LEN], uint8_t mrti_check, uint8_t mrti_update); void *allocate_memory(size_t size) { - void *ptr = malloc(size); + void *ptr = memalign(16, size); memset(ptr, 0x0, size); return ptr; } @@ -97,19 +121,19 @@ int trigger_OOB_via_rw_t3t_act_handle_fmt_rsp(){ uint8_t peer_nfcid2[NCI_RF_F_UID_LEN]; uint8_t mrti_check = 1, mrti_update = 1; - if (rw_t3t_select(peer_nfcid2, mrti_check, mrti_update) != NFC_STATUS_OK) { - return EXIT_FAILURE; - } + enable_selective_overload = ENABLE_MEMALIGN_CHECK; + FAIL_CHECK(rw_t3t_select(peer_nfcid2, mrti_check, mrti_update) == NFC_STATUS_OK); p_data = (tNFC_CONN *) allocate_memory(sizeof(tNFC_CONN)); - if (!p_data) { - return EXIT_FAILURE; - } + FAIL_CHECK(p_data); + p_data->data.p_data = (NFC_HDR *) allocate_memory(sizeof(NFC_HDR) * 4); + enable_selective_overload = ENABLE_FREE_CHECK | ENABLE_REALLOC_CHECK; if (!(p_data->data.p_data)) { free(p_data); - return EXIT_FAILURE; + FAIL_CHECK(p_data->data.p_data); } + vulnPtr = (char *)p_data->data.p_data; p_data->status = NFC_STATUS_OK; p_t3t->cur_cmd = RW_T3T_CMD_FORMAT; @@ -130,7 +154,9 @@ int trigger_OOB_via_rw_t3t_act_handle_fmt_rsp(){ tNFC_CONN_EVT event = NFC_DATA_CEVT; memcpy(p_t3t->peer_nfcid2, &p_t3t_rsp[T3T_MSG_RSP_OFFSET_IDM], NCI_NFCID2_LEN); + testInProgress = true; p_cb->p_cback(0, event, p_data); + testInProgress = false; return EXIT_SUCCESS; } @@ -142,19 +168,19 @@ int trigger_OOB_via_rw_t3t_act_handle_sro_rsp(){ uint8_t peer_nfcid2[NCI_RF_F_UID_LEN]; uint8_t mrti_check = 1, mrti_update = 1; - if (rw_t3t_select(peer_nfcid2, mrti_check, mrti_update) != NFC_STATUS_OK) { - return EXIT_FAILURE; - } + enable_selective_overload = ENABLE_MEMALIGN_CHECK; + FAIL_CHECK(rw_t3t_select(peer_nfcid2, mrti_check, mrti_update) == NFC_STATUS_OK); tNFC_CONN *p_data = (tNFC_CONN *) allocate_memory(sizeof(tNFC_CONN)); - if (!p_data) { - return EXIT_FAILURE; - } + FAIL_CHECK(p_data); + p_data->data.p_data = (NFC_HDR *) allocate_memory(sizeof(NFC_HDR) * 4); + enable_selective_overload = ENABLE_FREE_CHECK | ENABLE_REALLOC_CHECK; if (!(p_data->data.p_data)) { free(p_data); - return EXIT_FAILURE; + FAIL_CHECK(p_data->data.p_data); } + vulnPtr = (char *)p_data->data.p_data; p_data->status = NFC_STATUS_OK; p_t3t->cur_cmd = RW_T3T_CMD_SET_READ_ONLY_HARD; @@ -174,12 +200,18 @@ int trigger_OOB_via_rw_t3t_act_handle_sro_rsp(){ tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID]; tNFC_CONN_EVT event = NFC_DATA_CEVT; + testInProgress = true; p_cb->p_cback(0, event, p_data); + testInProgress = false; return EXIT_SUCCESS; } int main() { + sigemptyset(&new_action.sa_mask); + new_action.sa_flags = SA_SIGINFO; + new_action.sa_sigaction = sigsegv_handler; + sigaction(SIGSEGV, &new_action, &old_action); int ret = trigger_OOB_via_rw_t3t_act_handle_fmt_rsp(); ret |= trigger_OOB_via_rw_t3t_act_handle_sro_rsp(); return ret; |