diff options
author | Krishna C R <krishna.cr@ittiam.com> | 2021-09-21 11:48:16 +0530 |
---|---|---|
committer | Stacie Mashnitskaya <mashnitskaya@google.com> | 2021-10-07 19:22:51 -0700 |
commit | a94617501387412f8598e338caa90ed37aeed444 (patch) | |
tree | b439299dbdc3d2d709f262ba5c5adc25924b2cc1 | |
parent | 31ce0c22ab7ca16905d1c363adcaebb2bed686ad (diff) | |
download | cts-a94617501387412f8598e338caa90ed37aeed444.tar.gz |
Updated CTS test for Android Security b/120506143
Bug: 120506143
Bug: 126802712
Test: Ran the new testcase on android-9.0.0_r1 with/without patch
Change-Id: Ie209214fc238b11ff51902b7b571b5a2b1531c8e
-rw-r--r-- | hostsidetests/securitybulletin/securityPatch/CVE-2019-2022/Android.bp | 5 | ||||
-rw-r--r-- | hostsidetests/securitybulletin/securityPatch/CVE-2019-2022/poc.cpp | 61 |
2 files changed, 51 insertions, 15 deletions
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2022/Android.bp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2022/Android.bp index 8d95e36bd56..2c21381b503 100644 --- a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2022/Android.bp +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2022/Android.bp @@ -15,6 +15,10 @@ * */ +package { + default_applicable_licenses: ["Android-Apache-2.0"], +} + cc_test { name: "CVE-2019-2022", defaults: ["cts_hostsidetests_securitybulletin_defaults"], @@ -34,5 +38,6 @@ cc_test { ], cflags: [ "-DCHECK_OVERFLOW", + "-DENABLE_SELECTIVE_OVERLOADING", ], } diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2022/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2022/poc.cpp index f2150857d61..b9252c5fd54 100644 --- a/hostsidetests/securitybulletin/securityPatch/CVE-2019-2022/poc.cpp +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2019-2022/poc.cpp @@ -20,6 +20,29 @@ #include <nfc_api.h> #include <tags_defs.h> #include <rw_int.h> +#include <unistd.h> +#include "../includes/common.h" +#include "../includes/memutils.h" + +char enable_selective_overload = ENABLE_NONE; +char *vulnPtr = nullptr; + +bool testInProgress = false; +struct sigaction new_action, old_action; +void sigsegv_handler(int signum, siginfo_t *info, void* context) { + if (testInProgress && info->si_signo == SIGSEGV) { + size_t pageSize = getpagesize(); + if (pageSize) { + char *vulnPtrGuardPage = (char *) ((size_t) vulnPtr & PAGE_MASK) + pageSize; + char *faultPage = (char *) ((size_t) info->si_addr & PAGE_MASK); + if (faultPage == vulnPtrGuardPage) { + (*old_action.sa_sigaction)(signum, info, context); + return; + } + } + } + _exit(EXIT_FAILURE); +} #define T3T_MSG_FELICALITE_MC_OFFSET 0x01 @@ -31,7 +54,7 @@ tNFC_STATUS rw_t3t_select(uint8_t peer_nfcid2[NCI_RF_F_UID_LEN], uint8_t mrti_check, uint8_t mrti_update); void *allocate_memory(size_t size) { - void *ptr = malloc(size); + void *ptr = memalign(16, size); memset(ptr, 0x0, size); return ptr; } @@ -104,19 +127,19 @@ int trigger_OOB_via_rw_t3t_act_handle_fmt_rsp(){ uint8_t peer_nfcid2[NCI_RF_F_UID_LEN]; uint8_t mrti_check = 1, mrti_update = 1; - if (rw_t3t_select(peer_nfcid2, mrti_check, mrti_update) != NFC_STATUS_OK) { - return EXIT_FAILURE; - } + enable_selective_overload = ENABLE_MEMALIGN_CHECK; + FAIL_CHECK(rw_t3t_select(peer_nfcid2, mrti_check, mrti_update) == NFC_STATUS_OK); p_data = (tNFC_CONN *) allocate_memory(sizeof(tNFC_CONN)); - if (!p_data) { - return EXIT_FAILURE; - } + FAIL_CHECK(p_data); + p_data->data.p_data = (NFC_HDR *) allocate_memory(sizeof(NFC_HDR) * 4); + enable_selective_overload = ENABLE_FREE_CHECK | ENABLE_REALLOC_CHECK; if (!(p_data->data.p_data)) { free(p_data); - return EXIT_FAILURE; + FAIL_CHECK(p_data->data.p_data); } + vulnPtr = (char *)p_data->data.p_data; p_data->status = NFC_STATUS_OK; p_t3t->cur_cmd = RW_T3T_CMD_FORMAT; @@ -137,7 +160,9 @@ int trigger_OOB_via_rw_t3t_act_handle_fmt_rsp(){ tNFC_CONN_EVT event = NFC_DATA_CEVT; memcpy(p_t3t->peer_nfcid2, &p_t3t_rsp[T3T_MSG_RSP_OFFSET_IDM], NCI_NFCID2_LEN); + testInProgress = true; p_cb->p_cback(0, event, p_data); + testInProgress = false; free(p_data->data.p_data); free(p_data); return EXIT_SUCCESS; @@ -152,19 +177,19 @@ int trigger_OOB_via_rw_t3t_act_handle_sro_rsp(){ uint8_t peer_nfcid2[NCI_RF_F_UID_LEN]; uint8_t mrti_check = 1, mrti_update = 1; - if (rw_t3t_select(peer_nfcid2, mrti_check, mrti_update) != NFC_STATUS_OK) { - return EXIT_FAILURE; - } + enable_selective_overload = ENABLE_MEMALIGN_CHECK; + FAIL_CHECK(rw_t3t_select(peer_nfcid2, mrti_check, mrti_update) == NFC_STATUS_OK); tNFC_CONN *p_data = (tNFC_CONN *) allocate_memory(sizeof(tNFC_CONN)); - if (!p_data) { - return EXIT_FAILURE; - } + FAIL_CHECK(p_data); + p_data->data.p_data = (NFC_HDR *) allocate_memory(sizeof(NFC_HDR) * 4); + enable_selective_overload = ENABLE_FREE_CHECK | ENABLE_REALLOC_CHECK; if (!(p_data->data.p_data)) { free(p_data); - return EXIT_FAILURE; + FAIL_CHECK(p_data->data.p_data); } + vulnPtr = (char *)p_data->data.p_data; p_data->status = NFC_STATUS_OK; p_t3t->cur_cmd = RW_T3T_CMD_SET_READ_ONLY_HARD; @@ -184,13 +209,19 @@ int trigger_OOB_via_rw_t3t_act_handle_sro_rsp(){ tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID]; tNFC_CONN_EVT event = NFC_DATA_CEVT; + testInProgress = true; p_cb->p_cback(0, event, p_data); + testInProgress = false; free(p_data->data.p_data); free(p_data); return EXIT_SUCCESS; } int main() { + sigemptyset(&new_action.sa_mask); + new_action.sa_flags = SA_SIGINFO; + new_action.sa_sigaction = sigsegv_handler; + sigaction(SIGSEGV, &new_action, &old_action); int ret = trigger_OOB_via_rw_t3t_act_handle_fmt_rsp(); ret |= trigger_OOB_via_rw_t3t_act_handle_sro_rsp(); return ret; |