zzqq0103

Untitled

Dec 1st, 2024
86
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.62 KB | None | 0 0
  1. #define _GNU_SOURCE
  2.  
  3. #include <endian.h>
  4. #include <errno.h>
  5. #include <fcntl.h>
  6. #include <stdint.h>
  7. #include <stdio.h>
  8. #include <stdlib.h>
  9. #include <string.h>
  10. #include <sys/ioctl.h>
  11. #include <sys/mount.h>
  12. #include <sys/stat.h>
  13. #include <sys/syscall.h>
  14. #include <sys/types.h>
  15. #include <unistd.h>
  16.  
  17. #include <linux/loop.h>
  18.  
  19. unsigned long long procid;
  20.  
  21. struct fs_image_segment {
  22. void* data;
  23. uintptr_t size;
  24. uintptr_t offset;
  25. };
  26.  
  27. #define IMAGE_MAX_SEGMENTS 4096
  28. #define IMAGE_MAX_SIZE (129 << 20)
  29.  
  30. #define SYZ_memfd_create 319
  31.  
  32. static long syz_mount_image(long fsarg, long dir, unsigned long size,
  33. unsigned long nsegs, long segments, long flags,
  34. long optsarg)
  35. {
  36. char loopname[64], fs[32], opts[256];
  37. int loopfd, err = 0, res = -1;
  38. unsigned long i;
  39. struct fs_image_segment* segs = (struct fs_image_segment*)segments;
  40. if (nsegs > IMAGE_MAX_SEGMENTS)
  41. nsegs = IMAGE_MAX_SEGMENTS;
  42. for (i = 0; i < nsegs; i++) {
  43. if (segs[i].size > IMAGE_MAX_SIZE)
  44. segs[i].size = IMAGE_MAX_SIZE;
  45. segs[i].offset %= IMAGE_MAX_SIZE;
  46. if (segs[i].offset > IMAGE_MAX_SIZE - segs[i].size)
  47. segs[i].offset = IMAGE_MAX_SIZE - segs[i].size;
  48. if (size < segs[i].offset + segs[i].offset)
  49. size = segs[i].offset + segs[i].offset;
  50. }
  51. if (size > IMAGE_MAX_SIZE)
  52. size = IMAGE_MAX_SIZE;
  53. int memfd = syscall(SYZ_memfd_create, "syz_mount_image", 0);
  54. if (memfd == -1) {
  55. err = errno;
  56. goto error;
  57. }
  58. if (ftruncate(memfd, size)) {
  59. err = errno;
  60. goto error_close_memfd;
  61. }
  62. for (i = 0; i < nsegs; i++) {
  63. if (pwrite(memfd, segs[i].data, segs[i].size, segs[i].offset) < 0) {
  64. }
  65. }
  66. snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
  67. loopfd = open(loopname, O_RDWR);
  68. if (loopfd == -1) {
  69. err = errno;
  70. goto error_close_memfd;
  71. }
  72. if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
  73. if (errno != EBUSY) {
  74. err = errno;
  75. goto error_close_loop;
  76. }
  77. ioctl(loopfd, LOOP_CLR_FD, 0);
  78. usleep(1000);
  79. if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
  80. err = errno;
  81. goto error_close_loop;
  82. }
  83. }
  84. mkdir((char*)dir, 0777);
  85. memset(fs, 0, sizeof(fs));
  86. strncpy(fs, (char*)fsarg, sizeof(fs) - 1);
  87. memset(opts, 0, sizeof(opts));
  88. strncpy(opts, (char*)optsarg, sizeof(opts) - 32);
  89. if (strcmp(fs, "iso9660") == 0) {
  90. flags |= MS_RDONLY;
  91. } else if (strncmp(fs, "ext", 3) == 0) {
  92. if (strstr(opts, "errors=panic") || strstr(opts, "errors=remount-ro") == 0)
  93. strcat(opts, ",errors=continue");
  94. } else if (strcmp(fs, "xfs") == 0) {
  95. strcat(opts, ",nouuid");
  96. }
  97. if (mount(loopname, (char*)dir, fs, flags, opts)) {
  98. err = errno;
  99. goto error_clear_loop;
  100. }
  101. res = 0;
  102. error_clear_loop:
  103. ioctl(loopfd, LOOP_CLR_FD, 0);
  104. error_close_loop:
  105. close(loopfd);
  106. error_close_memfd:
  107. close(memfd);
  108. error:
  109. errno = err;
  110. return res;
  111. }
  112.  
  113. int main()
  114. {
  115. syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
  116.  
  117. memcpy((void*)0x20000000, "vfat", 5);
  118. memcpy((void*)0x200004c0, "./file0", 8);
  119. syz_mount_image(0x20000000, 0x200004c0, 0, 0, 0x20000300, 0, 0x20000240);
  120. memcpy((void*)0x20000080, "127.0.0.1", 10);
  121. memcpy((void*)0x20000100, "./file1", 8);
  122. memcpy((void*)0x20000140, "9p", 3);
  123. memcpy((void*)0x200001c0, "trans=tcp,", 10);
  124. memcpy((void*)0x200001ca, "port", 4);
  125. *(uint8_t*)0x200001ce = 0x3d;
  126. sprintf((char*)0x200001cf, "0x%016llx", (long long)0);
  127. *(uint8_t*)0x200001e1 = 0x2c;
  128. *(uint8_t*)0x200001e2 = 0;
  129. syscall(__NR_mount, 0x20000080, 0x20000100, 0x20000140, 0, 0x200001c0);
  130. memcpy((void*)0x200000c0, "./file0", 8);
  131. memcpy((void*)0x20000040, "9p", 3);
  132. syscall(__NR_mount, 0, 0x200000c0, 0x20000040, 0, 0x200001c0);
  133. return 0;
  134. }
Advertisement
Add Comment
Please, Sign In to add comment