Created
October 7, 2024 05:46
-
-
Save ARISTODE/5dd224604b02fbbf2e858ae599fcdc4d to your computer and use it in GitHub Desktop.
Corrupted array index nvme case 3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| #include <stdbool.h> | |
| // Define __user macro (in userspace, this doesn't have a special meaning) | |
| #define __user | |
| // Dummy functions to simulate kernel functions | |
| static void might_fault(void) { | |
| // Dummy implementation | |
| printf("might_fault called\n"); | |
| } | |
| static bool should_fail_usercopy(void) { | |
| // Dummy implementation | |
| return false; | |
| } | |
| static bool access_ok(const void __user *from, unsigned long n) { | |
| // Dummy implementation | |
| // In userspace, we'll assume all accesses are ok | |
| return true; | |
| } | |
| static void barrier_nospec(void) { | |
| // Dummy implementation | |
| // In userspace, we can't implement a real speculation barrier | |
| __asm__ __volatile__("": : :"memory"); | |
| } | |
| static void instrument_copy_from_user_before(void *to, const void __user *from, unsigned long n) { | |
| // Dummy implementation | |
| printf("instrument_copy_from_user_before called\n"); | |
| } | |
| static void instrument_copy_from_user_after(void *to, const void __user *from, unsigned long n, unsigned long res) { | |
| // Dummy implementation | |
| printf("instrument_copy_from_user_after called\n"); | |
| } | |
| static unsigned long raw_copy_from_user(void *to, const void __user *from, unsigned long n) { | |
| // In userspace, we'll use memcpy and assume it always succeeds | |
| memcpy(to, from, n); | |
| return 0; // Return 0 to indicate successful copy | |
| } | |
| // Main function | |
| unsigned long _copy_from_user(void *to, const void __user *from, unsigned long n) | |
| { | |
| unsigned long res = n; | |
| might_fault(); | |
| if (!should_fail_usercopy() && likely(access_ok(from, n))) { | |
| barrier_nospec(); | |
| instrument_copy_from_user_before(to, from, n); | |
| res = raw_copy_from_user(to, from, n); | |
| instrument_copy_from_user_after(to, from, n, res); | |
| } | |
| if (unlikely(res)) | |
| memset((char*)to + (n - res), 0, res); | |
| return res; | |
| } | |
| // Test function | |
| int main() { | |
| char from[] = "Hello, World!"; | |
| char to[20] = {0}; | |
| unsigned long n = strlen(from) + 1; // +1 for null terminator | |
| unsigned long res = _copy_from_user(to, from, n); | |
| printf("Copied string: %s\n", to); | |
| printf("Bytes not copied: %lu\n", res); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment