Merge pull request #82 from Fuzion24/feature/cve-2015-1528

Add check for CVE-2015-1528

Author: Fuzion24

app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/VulnerabilityOrganizer.java

@@ -23,6 +23,7 @@
 import fuzion24.device.vulnerability.vulnerabilities.kernel.CVE_2014_3153;
 import fuzion24.device.vulnerability.vulnerabilities.kernel.CVE_2014_4943;
 import fuzion24.device.vulnerability.vulnerabilities.kernel.CVE_2015_3636;
+import fuzion24.device.vulnerability.vulnerabilities.system.CVE20151528;
 import fuzion24.device.vulnerability.vulnerabilities.system.SamsungCREDzip;
 
 public class VulnerabilityOrganizer {
@@ -50,6 +51,7 @@ public static List<VulnerabilityTest> getTests(Context ctx){
         //tests.add(new ZergRush()); // Hide super old bugs?
         allTests.add(new SamsungCREDzip());
         allTests.add(new CVE_2015_6608());
+        allTests.add(new CVE20151528());
 
         List<VulnerabilityTest> filteredTest = new ArrayList<VulnerabilityTest>();
         String cpuArch1 = SystemUtils.propertyGet(ctx, "ro.product.cpu.abi");

app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/system/CVE20151528.java

@@ -0,0 +1,53 @@
+package fuzion24.device.vulnerability.vulnerabilities.system;
+
+import android.content.Context;
+import android.util.Log;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import fuzion24.device.vulnerability.util.CPUArch;
+import fuzion24.device.vulnerability.vulnerabilities.VulnerabilityTest;
+
+/**
+ * Created by fuzion24 on 11/23/15.
+ */
+public class CVE20151528 implements VulnerabilityTest {
+
+    private final static String TAG = "CVE-2015-1528";
+
+    static {
+        System.loadLibrary("cve20151528");
+    }
+
+    @Override
+    public String getCVEorID() {
+        return "CVE-2015-1528";
+    }
+
+    private native int doCheck();
+
+    @Override
+    public boolean isVulnerable(Context context) throws Exception {
+        int checkVal = doCheck();
+
+        if(checkVal == 0) {
+            return false;
+        }else if(checkVal == 1) {
+            return true;
+        }else {
+            Log.d(TAG, "Got a return value of " + checkVal);
+            //TODO: grab more information about failure, errno and error string
+            throw new Exception("Error running test");
+        }
+    }
+
+    @Override
+    public List<CPUArch> getSupportedArchitectures() {
+        List<CPUArch> supportedArchs = new ArrayList<>();
+        supportedArchs.add(CPUArch.ARM);
+        supportedArchs.add(CPUArch.ARM7);
+        supportedArchs.add(CPUArch.X86);
+        return supportedArchs;
+    }
+}

app/src/main/jni/Android.mk

@@ -168,6 +168,30 @@ LOCAL_C_INCLUDES := $(LOCAL_PATH)/include/
 include $(BUILD_EXECUTABLE)
 ################################
 
+
+################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE    := cve20151528
+LOCAL_SRC_FILES := cve20151528.c
+LOCAL_LDFLAGS   := -llog
+LOCAL_C_INCLUDES := $(LOCAL_PATH)/include/
+
+include $(BUILD_SHARED_LIBRARY)
+################################
+
+################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE    := cve20151528check
+LOCAL_SRC_FILES := cve20151528.c
+LOCAL_CFLAGS    := -fpie -pie
+LOCAL_LDFLAGS   := -pie -llog
+LOCAL_C_INCLUDES := $(LOCAL_PATH)/include/
+
+include $(BUILD_EXECUTABLE)
+################################
+
 ################################
 include $(CLEAR_VARS)
 

app/src/main/jni/Application.mk

@@ -2,7 +2,7 @@ LOCAL_PATH := $(call my-dir)
 
 include $(CLEAR_VARS)
 
-APP_ABI := armeabi armeabi-v7a
+APP_ABI := armeabi armeabi-v7a x86
 
 LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH)/include
 LOCAL_C_INCLUDES := $(LOCAL_PATH)/include-all

app/src/main/jni/cve20151528.c

@@ -0,0 +1,89 @@
+#include <dlfcn.h>
+#include <errno.h>
+#include <limits.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <jni.h>
+#include <android/log.h>
+
+//#include <cutils/native_handle.h>
+
+#define LOG_TAG "CVE_2015_1528"
+#define LOG_D(...) do{ __android_log_print( ANDROID_LOG_DEBUG, LOG_TAG, __VA_ARGS__); printf( __VA_ARGS__ ); }while( 0 )
+
+
+int Check_CVE_2015_1528()
+{
+    const char *libname = "libcutils.so";
+    size_t * ( *native_handle_create )( int numFds, int numInts ) = NULL;
+
+    void *handle = dlopen( libname, RTLD_NOW | RTLD_GLOBAL );
+    if( !handle )
+    {
+        printf( "error opening %s: %s\n", libname, dlerror() );
+        return -1;
+    }
+
+    native_handle_create = dlsym( handle, "native_handle_create" );
+    if( !native_handle_create )
+    {
+        printf( "missing native_handle_create\n" );
+        return -2;
+    }
+
+    int ret = -3;
+
+    int numFds = 1025;
+    int numInts = 1;
+    size_t *bla = native_handle_create( numFds, numInts );
+    if( !bla )
+    {
+        // fixed
+        printf( "looks fixed to me\n" );
+        ret = 0;
+        goto done;
+    }
+
+    // sanity checks
+    switch(bla[0])// version
+    {
+    case 12://android wear 5.0.2 LWX49K
+        if( bla[1] != numFds || bla[2] != numInts )
+        {
+            LOG_D( "got back unexpected values\n" );
+        }
+        else
+        {
+            LOG_D( "its vulnerable\n" );
+            return 1;
+        }
+        break;
+    default:
+        LOG_D( "failed.  version %d  %d %d\n", bla[0], bla[1], bla[2] );
+        break;
+    }
+
+
+done:
+    // done with this
+    dlclose( handle );
+
+    // should be allocated with malloc
+    //! if its already null, then free does nothing
+    free( bla );
+
+    return ret;
+}
+
+
+JNIEXPORT jint JNICALL Java_fuzion24_device_vulnerability_vulnerabilities_system_CVE20151528_doCheck(JNIEnv *env, jobject obj)
+{
+    return Check_CVE_2015_1528();
+}
+
+
+int main( int argc, char *argv[] )
+{
+    return Check_CVE_2015_1528();
+}