/* * Copyright (C) 2021 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at: * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * */ #include #include "phNxpExtns_MifareStd.h" #include "../includes/common.h" #include "../includes/memutils.h" char enable_selective_overload = ENABLE_NONE; char *vulnPtr = nullptr; bool testInProgress = false; struct sigaction new_action, old_action; void sigsegv_handler(int signum, siginfo_t *info, void* context) { if (testInProgress && info->si_signo == SIGSEGV) { size_t pageSize = getpagesize(); if (pageSize) { char *vulnPtrGuardPage = (char *) ((size_t) vulnPtr & PAGE_MASK) - pageSize; char *faultPage = (char *) ((size_t) info->si_addr & PAGE_MASK); if (faultPage == vulnPtrGuardPage) { (*old_action.sa_sigaction)(signum, info, context); return; } } } _exit(EXIT_FAILURE); } uint8_t NFC_GetNCIVersion() { return NCI_VERSION_2_0; } int main() { sigemptyset(&new_action.sa_mask); new_action.sa_flags = SA_SIGINFO; new_action.sa_sigaction = sigsegv_handler; sigaction(SIGSEGV, &new_action, &old_action); enable_selective_overload = ENABLE_MEMALIGN_CHECK; uint8_t *buffer = (uint8_t*) memalign(16, 16 * sizeof(uint8_t)); enable_selective_overload = ENABLE_FREE_CHECK | ENABLE_REALLOC_CHECK; FAIL_CHECK(buffer); vulnPtr = (char *) buffer; uint8_t bufferSize = 1; buffer[0] = 0x10; phNxpExtns_MfcModuleInit(); testInProgress = true; Mfc_RecvPacket(buffer, bufferSize); testInProgress = false; free(buffer); return EXIT_SUCCESS; }