Added CVE-2016-0808

app/src/main/assets/vuln_map.json

@@ -1,4 +1,18 @@
 {
+  "CVE-2016-0808": {
+    "cve": "CVE-2016-0808",
+    "altnames": [],
+    "description": "This vulnerability is what is known as a denial-of-service which gives a malicious application or individual the ability to cause continuous rebooting",
+    "impact": "Continuous reboot",
+    "external_links": [
+      "https://android.googlesource.com/platform/frameworks/minikin/+/ed4c8d79153baab7f26562afb8930652dfbf853b"
+    ],
+    "patch": [
+      "https://android.googlesource.com/platform/frameworks/minikin/+/ed4c8d79153baab7f26562afb8930652dfbf853b%5E%21/#F0"
+    ],
+    "cvssv2": 4.9,
+    "cvedate": "02/01/2016"
+  },
   "CVE-2015-3636": {
     "cve": "CVE-2015-3636",
     "altnames": [
@@ -531,5 +545,56 @@
              "https://android.googlesource.com/platform%2Fexternal%2Flibavc/+/2ee0c1bced131ffb06d1b430b08a202cd3a52005"
     ],
     "cvedate": "10/12/2015"
+
+  },
+  "CVE-2009-1185": {
+    "cve": "CVE-2009-1185",
+    "altnames": [],
+    "description": "This vulnerability is known as a privilege escalation vulnerability which gives a malicious application or individual the ability to obtain complete access to a vulnerable device. The specific vulnerability resides in a flaw in udev where it does not properly validate the origin of certain messages.",
+    "impact": "Local privilege escalation to kernel/root from an unprivileged app",
+    "external_links": [],
+    "cvssv2": 7.2,
+    "patch": [],
+    "cvedate": "04/17/2009"
+  },
+  "CVE-2012-6422": {
+    "cve": "CVE-2012-6422",
+    "altnames": [],
+    "description": "This vulnerability primarily impacts Samsung Galaxy S2 and S2 Note devices however other devices using an Exynos model 4210 and 4412 processors may also be affected. The vulnerability would allow an attacker or malicious application the ability to gain privileges on the device.",
+    "impact": "Local privilege escalation to kernel/root from an unprivileged app",
+    "external_links": [],
+    "cvssv2": 9.3,
+    "patch": [],
+    "cvedate": "12/17/2012"
+  },
+  "CVE-2011-1350": {
+    "cve": "CVE-2011-1350",
+    "altnames": [],
+    "description": "This vulnerability may allow a malicious application or attacker the ability to retrieve potentially sensitive information from an impacted device’s memory.",
+    "impact": "Local privilege escalation to kernel/root from an unprivileged app",
+    "external_links": [],
+    "cvssv2": 7.1,
+    "patch": [],
+    "cvedate": "02/05/2013"
+  },
+  "CVE-2012-0056": {
+    "cve": "CVE-2012-0056",
+    "altnames": [],
+    "description": "This vulnerability is known as a privilege escalation vulnerability which a gives a malicious application or individual that ability to obtain complete access to a vulnerable device. Note that if your device is running a version of Android that has ALSR enabled (4.1 and above) exploitation of this vulnerability is mitigated.",
+    "impact": "Local privilege escalation to kernel/root from an unprivileged app",
+    "external_links": [],
+    "cvssv2": 6.9,
+    "patch": [],
+    "cvedate": "01/27/2012"
+  },
+  "CVE-2009-2692": {
+    "cve": "CVE-2009-2692",
+    "altnames": [],
+    "description": "This vulnerability is known as a privilege escalation vulnerability which a gives a malicious application or individual that ability to obtain complete access to a vulnerable device.",
+    "impact": "Local privilege escalation to kernel/root from an unprivileged app",
+    "external_links": [],
+    "cvssv2": 7.2,
+    "patch": [],
+    "cvedate": "08/14/2009"
   }
 }

app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/VulnerabilityOrganizer.java

@@ -8,6 +8,7 @@
 import java.util.List;
 
 import fuzion24.device.vulnerability.util.CPUArch;
+import fuzion24.device.vulnerability.vulnerabilities.framework.graphics.CVE_2016_0808;
 import fuzion24.device.vulnerability.vulnerabilities.framework.graphics.GraphicBufferTest;
 import fuzion24.device.vulnerability.vulnerabilities.framework.media.CVE_2015_6602;
 import fuzion24.device.vulnerability.vulnerabilities.framework.media.CVE_2015_6608;
@@ -33,7 +34,10 @@ public class VulnerabilityOrganizer {
 
     //TODO: Maybe add dates to each of these and sort chronologically
     public static List<VulnerabilityTest> getTests(Context ctx){
+
         List<VulnerabilityTest> allTests = new ArrayList<>();
+
+        allTests.add(new CVE_2016_0808());
         allTests.add(new ZipBug9950697());
         allTests.add(new ZipBug8219321());
         allTests.add(new ZipBug9695860());

app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/framework/graphics/CVE_2016_0808.java

@@ -0,0 +1,45 @@
+package fuzion24.device.vulnerability.vulnerabilities.framework.graphics;
+
+import android.content.Context;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import fuzion24.device.vulnerability.util.CPUArch;
+import fuzion24.device.vulnerability.vulnerabilities.VulnerabilityTest;
+
+/**
+ * Created by kg on 09/03/16.
+ */
+public class CVE_2016_0808 implements VulnerabilityTest{
+    static {
+        System.loadLibrary("cve-2016-0808");
+    }
+
+    @Override
+    public String getCVEorID() {
+        return "CVE-2016-0808";
+    }
+
+    @Override
+    public boolean isVulnerable(Context context) throws Exception {
+        int checkVal = checkCVE20160808();
+        if(checkVal == 0) {
+            return false;
+        }else if(checkVal == 1) {
+            return true;
+        }else {
+            throw new Exception("Error running test");
+        }
+    }
+
+    @Override
+    public List<CPUArch> getSupportedArchitectures() {
+        ArrayList<CPUArch> archs = new ArrayList<CPUArch>();
+        archs.add(CPUArch.ARM7);
+        archs.add(CPUArch.ARM);
+        return archs;
+    }
+
+    private native int checkCVE20160808();
+}

app/src/main/jni/Android.mk

@@ -227,3 +227,23 @@ LOCAL_C_INCLUDES := $(LOCAL_PATH)/include/
 
 include $(BUILD_EXECUTABLE)
 ################################
+
+################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE    := cve-2016-0808
+LOCAL_SRC_FILES := cve20160808.c
+
+include $(BUILD_SHARED_LIBRARY)
+################################
+
+################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE    := cve-2016-0808check
+LOCAL_SRC_FILES := cve20160808.c
+
+include $(BUILD_EXECUTABLE)
+################################
+
+

app/src/main/jni/cve20160808.c

@@ -0,0 +1,67 @@
+#include <jni.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <android/log.h>
+
+/*
+	When user loads a third-party ttf font:
+	in frameworks/minikin/CmapCoverage.cpp::getCoverageFormat12
+	if nGroups >= 0xfffffff0 / kGroupSize, then the ttf font will
+	cause continuous rebooting
+*/
+
+int checkIsVulnerable(){
+	FILE *file;
+	long size;
+	uint8_t *buffer;
+	int result;
+
+
+	file = fopen("/system/lib/libminikin.so", "rb");
+
+	if(file == NULL){
+		// Before 5.0, libminikin didn't exist
+		// Hence, not vulnerable
+		result = 0;
+		goto done;	
+	}
+
+	fseek(file, 0, SEEK_END);
+	size = ftell(file);
+	rewind(file);
+
+	buffer = (uint8_t *)malloc(sizeof(char)*size);
+
+	fread(buffer, 1, size, file);
+
+	/*
+	 kGroupSize = 12
+	 const size_t kMaxNGroups = 0xfffffff0 / kGroupSize ~ 0x15555553 (how it appears in the assembly)
+	*/
+
+	// Check if this byte-sequence is in libminikin.so file
+	uint8_t needle[4] = {0x53, 0x55, 0x55, 0x15};
+
+	uint8_t *p = memmem(buffer, size, needle, 4);
+
+	// If the byte-sequence is present, that means the bug has been patched
+	if(p)
+		result = 0;
+	else	// Otherwise, there is no check for nGroups <=> vulnerable
+		result = 1;
+
+	fclose(file);
+	free(buffer);
+
+done:
+	return result;
+}
+
+JNIEXPORT jint JNICALL Java_fuzion24_device_vulnerability_vulnerabilities_framework_graphics_CVE_12016_10808_checkCVE20160808(JNIEnv *env, jobject obj){
+	return checkIsVulnerable();
+}
+
+int main(void){
+	return checkIsVulnerable();
+}