19512fe85Sahl /* 29512fe85Sahl * CDDL HEADER START 39512fe85Sahl * 49512fe85Sahl * The contents of this file are subject to the terms of the 59512fe85Sahl * Common Development and Distribution License (the "License"). 69512fe85Sahl * You may not use this file except in compliance with the License. 79512fe85Sahl * 89512fe85Sahl * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 99512fe85Sahl * or http://www.opensolaris.org/os/licensing. 109512fe85Sahl * See the License for the specific language governing permissions 119512fe85Sahl * and limitations under the License. 129512fe85Sahl * 139512fe85Sahl * When distributing Covered Code, include this CDDL HEADER in each 149512fe85Sahl * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 159512fe85Sahl * If applicable, add the following below this CDDL HEADER, with the 169512fe85Sahl * fields enclosed by brackets "[]" replaced with your own identifying 179512fe85Sahl * information: Portions Copyright [yyyy] [name of copyright owner] 189512fe85Sahl * 199512fe85Sahl * CDDL HEADER END 209512fe85Sahl */ 219512fe85Sahl 229512fe85Sahl /* 23*73427c57Sahl * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 249512fe85Sahl * Use is subject to license terms. 259512fe85Sahl */ 269512fe85Sahl 279512fe85Sahl #pragma ident "%Z%%M% %I% %E% SMI" 289512fe85Sahl 299512fe85Sahl #include <sys/stat.h> 309512fe85Sahl #include <stdio.h> 319512fe85Sahl #include <stdlib.h> 329512fe85Sahl #include <fcntl.h> 339512fe85Sahl #include <sys/varargs.h> 349512fe85Sahl #include <errno.h> 359512fe85Sahl #include <math.h> 36*73427c57Sahl #include <dtrace.h> 379512fe85Sahl 389512fe85Sahl void 399512fe85Sahl fatal(char *fmt, ...) 409512fe85Sahl { 419512fe85Sahl va_list ap; 429512fe85Sahl 439512fe85Sahl va_start(ap, fmt); 449512fe85Sahl 459512fe85Sahl fprintf(stderr, "%s: ", "baddof"); 469512fe85Sahl vfprintf(stderr, fmt, ap); 479512fe85Sahl 489512fe85Sahl if (fmt[strlen(fmt) - 1] != '\n') 499512fe85Sahl fprintf(stderr, ": %s\n", strerror(errno)); 509512fe85Sahl 519512fe85Sahl exit(1); 529512fe85Sahl } 539512fe85Sahl 549512fe85Sahl #define LEAP_DISTANCE 20 559512fe85Sahl 569512fe85Sahl void 579512fe85Sahl corrupt(int fd, unsigned char *buf, int len) 589512fe85Sahl { 599512fe85Sahl static int ttl, valid; 609512fe85Sahl int bit, i; 619512fe85Sahl unsigned char saved; 629512fe85Sahl int val[LEAP_DISTANCE], pos[LEAP_DISTANCE]; 639512fe85Sahl int new, rv; 649512fe85Sahl 659512fe85Sahl again: 669512fe85Sahl printf("valid DOF #%d\n", valid++); 679512fe85Sahl 689512fe85Sahl /* 699512fe85Sahl * We are going iterate through, flipping one bit and attempting 709512fe85Sahl * to enable. 719512fe85Sahl */ 729512fe85Sahl for (bit = 0; bit < len * 8; bit++) { 739512fe85Sahl saved = buf[bit / 8]; 749512fe85Sahl buf[bit / 8] ^= (1 << (bit % 8)); 759512fe85Sahl 769512fe85Sahl if ((bit % 100) == 0) 779512fe85Sahl printf("%d\n", bit); 789512fe85Sahl 799512fe85Sahl if ((rv = ioctl(fd, DTRACEIOC_ENABLE, buf)) == -1) { 809512fe85Sahl /* 819512fe85Sahl * That failed -- restore the bit and drive on. 829512fe85Sahl */ 839512fe85Sahl buf[bit / 8] = saved; 849512fe85Sahl continue; 859512fe85Sahl } 869512fe85Sahl 879512fe85Sahl /* 889512fe85Sahl * That worked -- and it may have enabled probes. To keep 899512fe85Sahl * enabled probes down to a reasonable level, we'll close 909512fe85Sahl * and reopen pseudodevice if we have more than 10,000 919512fe85Sahl * probes enabled. 929512fe85Sahl */ 939512fe85Sahl ttl += rv; 949512fe85Sahl 959512fe85Sahl if (ttl < 10000) { 969512fe85Sahl buf[bit / 8] = saved; 979512fe85Sahl continue; 989512fe85Sahl } 999512fe85Sahl 1009512fe85Sahl printf("enabled %d probes; resetting device.\n", ttl); 1019512fe85Sahl close(fd); 1029512fe85Sahl 1039512fe85Sahl new = open("/devices/pseudo/dtrace@0:dtrace", O_RDWR); 1049512fe85Sahl 1059512fe85Sahl if (new == -1) 1069512fe85Sahl fatal("couldn't open DTrace pseudo device"); 1079512fe85Sahl 1089512fe85Sahl if (new != fd) { 1099512fe85Sahl dup2(new, fd); 1109512fe85Sahl close(new); 1119512fe85Sahl } 1129512fe85Sahl 1139512fe85Sahl ttl = 0; 1149512fe85Sahl buf[bit / 8] = saved; 1159512fe85Sahl } 1169512fe85Sahl 1179512fe85Sahl for (;;) { 1189512fe85Sahl /* 1199512fe85Sahl * Now we want to get as many bits away as possible. We flip 1209512fe85Sahl * bits randomly -- getting as far away as we can until we don't 1219512fe85Sahl * seem to be making any progress. 1229512fe85Sahl */ 1239512fe85Sahl for (i = 0; i < LEAP_DISTANCE; i++) { 1249512fe85Sahl /* 1259512fe85Sahl * Pick a random bit and corrupt it. 1269512fe85Sahl */ 1279512fe85Sahl bit = lrand48() % (len * 8); 1289512fe85Sahl 1299512fe85Sahl val[i] = buf[bit / 8]; 1309512fe85Sahl pos[i] = bit / 8; 1319512fe85Sahl buf[bit / 8] ^= (1 << (bit % 8)); 1329512fe85Sahl } 1339512fe85Sahl 1349512fe85Sahl /* 1359512fe85Sahl * Let's see if that managed to get us valid DOF... 1369512fe85Sahl */ 1379512fe85Sahl if ((rv = ioctl(fd, DTRACEIOC_ENABLE, buf)) > 0) { 1389512fe85Sahl /* 1399512fe85Sahl * Success! This will be our new base for valid DOF. 1409512fe85Sahl */ 1419512fe85Sahl ttl += rv; 1429512fe85Sahl goto again; 1439512fe85Sahl } 1449512fe85Sahl 1459512fe85Sahl /* 1469512fe85Sahl * No luck -- we'll restore those bits and try flipping a 1479512fe85Sahl * different set. Note that this must be done in reverse 1489512fe85Sahl * order... 1499512fe85Sahl */ 1509512fe85Sahl for (i = LEAP_DISTANCE - 1; i >= 0; i--) 1519512fe85Sahl buf[pos[i]] = val[i]; 1529512fe85Sahl } 1539512fe85Sahl } 1549512fe85Sahl 1559512fe85Sahl void 1569512fe85Sahl main(int argc, char **argv) 1579512fe85Sahl { 1589512fe85Sahl char *filename = argv[1]; 1599512fe85Sahl dtrace_hdl_t *dtp; 1609512fe85Sahl dtrace_prog_t *pgp; 1619512fe85Sahl int err, fd, len; 1629512fe85Sahl FILE *fp; 1639512fe85Sahl unsigned char *dof, *copy; 1649512fe85Sahl 1659512fe85Sahl if (argc < 1) 1669512fe85Sahl fatal("expected D script as argument\n"); 1679512fe85Sahl 1689512fe85Sahl if ((fp = fopen(filename, "r")) == NULL) 1699512fe85Sahl fatal("couldn't open %s", filename); 1709512fe85Sahl 1719512fe85Sahl /* 1729512fe85Sahl * First, we need to compile our provided D into DOF. 1739512fe85Sahl */ 1749512fe85Sahl if ((dtp = dtrace_open(DTRACE_VERSION, 0, &err)) == NULL) { 1759512fe85Sahl fatal("cannot open dtrace library: %s\n", 1769512fe85Sahl dtrace_errmsg(NULL, err)); 1779512fe85Sahl } 1789512fe85Sahl 1799512fe85Sahl pgp = dtrace_program_fcompile(dtp, fp, 0, 0, NULL); 1809512fe85Sahl fclose(fp); 1819512fe85Sahl 1829512fe85Sahl if (pgp == NULL) { 1839512fe85Sahl fatal("failed to compile script %s: %s\n", filename, 1849512fe85Sahl dtrace_errmsg(dtp, dtrace_errno(dtp))); 1859512fe85Sahl } 1869512fe85Sahl 187*73427c57Sahl dof = dtrace_dof_create(dtp, pgp, 0); 1889512fe85Sahl len = ((dof_hdr_t *)dof)->dofh_loadsz; 1899512fe85Sahl 1909512fe85Sahl if ((copy = malloc(len)) == NULL) 1919512fe85Sahl fatal("could not allocate copy of %d bytes", len); 1929512fe85Sahl 1939512fe85Sahl for (;;) { 1949512fe85Sahl bcopy(dof, copy, len); 1959512fe85Sahl /* 1969512fe85Sahl * Open another instance of the dtrace device. 1979512fe85Sahl */ 1989512fe85Sahl fd = open("/devices/pseudo/dtrace@0:dtrace", O_RDWR); 1999512fe85Sahl 2009512fe85Sahl if (fd == -1) 2019512fe85Sahl fatal("couldn't open DTrace pseudo device"); 2029512fe85Sahl 2039512fe85Sahl corrupt(fd, copy, len); 2049512fe85Sahl close(fd); 2059512fe85Sahl } 2069512fe85Sahl } 207