1 /*
2  * Copyright (C) 2021 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at:
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  *
16  */
17 
18 #include <unistd.h>
19 #include "phNxpExtns_MifareStd.h"
20 #include "../includes/common.h"
21 #include "../includes/memutils.h"
22 
23 char enable_selective_overload = ENABLE_NONE;
24 char *vulnPtr = nullptr;
25 bool testInProgress = false;
26 struct sigaction new_action, old_action;
sigsegv_handler(int signum,siginfo_t * info,void * context)27 void sigsegv_handler(int signum, siginfo_t *info, void* context) {
28     if (testInProgress && info->si_signo == SIGSEGV) {
29         size_t pageSize = getpagesize();
30         if (pageSize) {
31             char *vulnPtrGuardPage = (char *) ((size_t) vulnPtr & PAGE_MASK) - pageSize;
32             char *faultPage = (char *) ((size_t) info->si_addr & PAGE_MASK);
33             if (faultPage == vulnPtrGuardPage) {
34                 (*old_action.sa_sigaction)(signum, info, context);
35                 return;
36             }
37         }
38     }
39     _exit(EXIT_FAILURE);
40 }
NFC_GetNCIVersion()41 uint8_t NFC_GetNCIVersion() {
42     return NCI_VERSION_2_0;
43 }
44 
main()45 int main() {
46     sigemptyset(&new_action.sa_mask);
47     new_action.sa_flags = SA_SIGINFO;
48     new_action.sa_sigaction = sigsegv_handler;
49     sigaction(SIGSEGV, &new_action, &old_action);
50     enable_selective_overload = ENABLE_MEMALIGN_CHECK;
51     uint8_t *buffer = (uint8_t*) memalign(16, 16 * sizeof(uint8_t));
52     enable_selective_overload = ENABLE_FREE_CHECK | ENABLE_REALLOC_CHECK;
53     FAIL_CHECK(buffer);
54 
55     vulnPtr = (char *) buffer;
56     uint8_t bufferSize = 1;
57     buffer[0] = 0x10;
58     phNxpExtns_MfcModuleInit();
59     testInProgress = true;
60     Mfc_RecvPacket(buffer, bufferSize);
61     testInProgress = false;
62     free(buffer);
63     return EXIT_SUCCESS;
64 }
65