Add check for CVE-2015-1528

Fuzion24 · Fuzion24 · commit 5d5974a2aadc · 2015-11-23T16:30:19.000-05:00
diff --git a/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/VulnerabilityOrganizer.java b/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/VulnerabilityOrganizer.java
@@ -23,6 +23,7 @@
 import fuzion24.device.vulnerability.vulnerabilities.kernel.CVE_2014_3153;
 import fuzion24.device.vulnerability.vulnerabilities.kernel.CVE_2014_4943;
 import fuzion24.device.vulnerability.vulnerabilities.kernel.CVE_2015_3636;
+import fuzion24.device.vulnerability.vulnerabilities.system.CVE20151258;
 import fuzion24.device.vulnerability.vulnerabilities.system.SamsungCREDzip;
 
 public class VulnerabilityOrganizer {
@@ -50,6 +51,7 @@ public static List<VulnerabilityTest> getTests(Context ctx){
         //tests.add(new ZergRush()); // Hide super old bugs?
         allTests.add(new SamsungCREDzip());
         allTests.add(new CVE_2015_6608());
+        allTests.add(new CVE20151258());
 
         List<VulnerabilityTest> filteredTest = new ArrayList<VulnerabilityTest>();
         String cpuArch1 = SystemUtils.propertyGet(ctx, "ro.product.cpu.abi");
diff --git a/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/system/CVE20151258.java b/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/system/CVE20151258.java
@@ -0,0 +1,49 @@
+package fuzion24.device.vulnerability.vulnerabilities.system;
+
+import android.content.Context;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import fuzion24.device.vulnerability.util.CPUArch;
+import fuzion24.device.vulnerability.vulnerabilities.VulnerabilityTest;
+
+/**
+ * Created by fuzion24 on 11/23/15.
+ */
+public class CVE20151528 implements VulnerabilityTest {
+
+    static {
+        System.loadLibrary("cve20151528");
+    }
+
+
+    @Override
+    public String getCVEorID() {
+        return "CVE-2015-1528";
+    }
+
+    private native int doCheck();
+
+    @Override
+    public boolean isVulnerable(Context context) throws Exception {
+        int checkVal = doCheck();
+
+        if(checkVal == 0) {
+            return false;
+        }else if(checkVal == 1) {
+            return true;
+        }else {
+            //TODO: grab more information about failure, errno and error string
+            throw new Exception("Error running test");
+        }
+    }
+
+    @Override
+    public List<CPUArch> getSupportedArchitectures() {
+        List<CPUArch> supportedArchs = new ArrayList<>();
+        supportedArchs.add(CPUArch.ARM);
+        supportedArchs.add(CPUArch.ARM7);
+        return supportedArchs;
+    }
+}
diff --git a/app/src/main/jni/Android.mk b/app/src/main/jni/Android.mk
@@ -168,6 +168,17 @@ LOCAL_C_INCLUDES := $(LOCAL_PATH)/include/
 include $(BUILD_EXECUTABLE)
 ################################
 
+
+################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE    := cve20151528
+LOCAL_SRC_FILES := cve20151528.c
+LOCAL_C_INCLUDES := $(LOCAL_PATH)/include/
+
+include $(BUILD_SHARED_LIBRARY)
+################################
+
 ################################
 include $(CLEAR_VARS)
 
diff --git a/app/src/main/jni/cve20151528.c b/app/src/main/jni/cve20151528.c
@@ -0,0 +1,86 @@
+#include <dlfcn.h>
+#include <errno.h>
+#include <limits.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <jni.h>
+#include <android/log.h>
+
+//#include <cutils/native_handle.h>
+
+
+
+int Check_CVE_2015_1528()
+{
+    const char *libname = "libcutils.so";
+    size_t * ( *native_handle_create )( int numFds, int numInts ) = NULL;
+
+    void *handle = dlopen( libname, RTLD_NOW | RTLD_GLOBAL );
+    if( !handle )
+    {
+        printf( "error opening %s: %s\n", libname, dlerror() );
+        return -1;
+    }
+
+    native_handle_create = dlsym( handle, "native_handle_create" );
+    if( !native_handle_create )
+    {
+        printf( "missing native_handle_create\n" );
+        return -1;
+    }
+
+    int ret = -1;
+
+    int numFds = 1025;
+    int numInts = 1;
+    size_t *bla = native_handle_create( numFds, numInts );
+    if( !bla )
+    {
+        // fixed
+        printf( "looks fixed to me\n" );
+        ret = 0;
+        goto done;
+    }
+
+    // sanity checks
+    switch(bla[0])// version
+    {
+    case 12://android wear 5.0.2 LWX49K
+        if( bla[1] != numFds || bla[2] != numInts )
+        {
+            printf( "got back unexpected values\n" );
+        }
+        else
+        {
+            printf( "its vulnerable\n" );
+        }
+        break;
+    default:
+        printf( "failed.  version %d  %d %d\n", bla[0], bla[1], bla[2] );
+        break;
+    }
+
+
+done:
+    // done with this
+    dlclose( handle );
+
+    // should be allocated with malloc
+    //! if its already null, then free does nothing
+    free( bla );
+
+    return ret;
+}
+
+
+JNIEXPORT jint JNICALL Java_fuzion24_device_vulnerability_vulnerabilities_system_CVE20151258_doCheck(JNIEnv *env, jobject obj)
+{
+    return Check_CVE_2015_1528();
+}
+
+
+int main( int argc, char *argv[] )
+{
+    return Check_CVE_2015_1528();
+}
