xref: /aosp_15_r20/cts/hostsidetests/securitybulletin/securityPatch/CVE-2023-21085/poc.cpp (revision b7c941bb3fa97aba169d73cee0bed2de8ac964bf) 
1 /*
2  * Copyright (C) 2024 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <dlfcn.h>
18 #include <stdlib.h>
19 
20 #include "../includes/common.h"
21 #include "../includes/memutils.h"
22 #include "nci_hmsgs.h"
23 
24 #define BUFFER_SIZE 16
25 #define OVERFLOWED_VALUE 2
26 
27 char enable_selective_overload = ENABLE_NONE;
28 
29 static void (*real_GKI_freebuf)(void *ptr) = nullptr;
30 static void *(*real_GKI_getpoolbuf)(uint8_t pool_id) = nullptr;
31 char *buffer = nullptr;
32 
init(void)33 void init(void) {
34     real_GKI_freebuf = (void (*)(void *))dlsym(RTLD_NEXT, "_Z11GKI_freebufPv");
35     real_GKI_getpoolbuf = (void *(*)(uint8_t))dlsym(RTLD_NEXT, "_Z14GKI_getpoolbufh");
36     FAIL_CHECK(real_GKI_freebuf);
37     FAIL_CHECK(real_GKI_getpoolbuf);
38 }
39 
GKI_getpoolbuf(uint8_t pool_id)40 void *GKI_getpoolbuf(uint8_t pool_id) {
41     if (pool_id == OVERFLOWED_VALUE) {
42         buffer = (char *)malloc(BUFFER_SIZE);
43         return (void *)(buffer + BUFFER_SIZE - OVERFLOWED_VALUE);
44     }
45     return real_GKI_getpoolbuf(pool_id);
46 }
47 
GKI_freebuf(void * ptr)48 void GKI_freebuf(void *ptr) {
49     if (buffer) {
50         if (ptr == (void *)(buffer + BUFFER_SIZE - OVERFLOWED_VALUE)) {
51             free(buffer);
52             buffer = nullptr;
53             return;
54         }
55     }
56     real_GKI_freebuf(ptr);
57 }
58 
main()59 int main() {
60     uint8_t p_param_tlvs[UINT8_MAX];
61 
62     // tlv_size is set to UINT8_MAX which leads to an integer overflow. The fix returns if the
63     // integer oveflow is observed. Without fix, a buffer of size 2 (which is less than required)
64     // gets allocated. This leads to a OOB access in nci_snd_set_routing_cmd and a SIG_SEGV occurs
65     // which leads to test failure.
66     init();
67     enable_selective_overload = ENABLE_ALL;
68     nci_snd_set_routing_cmd(false /* more */, 0 /* num_tlv */, UINT8_MAX, p_param_tlvs);
69     enable_selective_overload = ENABLE_FREE_CHECK | ENABLE_REALLOC_CHECK;
70     return EXIT_SUCCESS;
71 }
72