From 1f406e270fc349c6d0ccd6b1626877436164a1b3 Mon Sep 17 00:00:00 2001 From: Elliott Hughes Date: Sat, 4 Jun 2016 08:12:34 -0700 Subject: [PATCH] Remove toolbox ioctl. Let's remove this convenient tool for attacking buggy kernels and see if anyone with a legitimate use notices. I suspect most potential legitimate users write a short C program instead anyway. Bug: http://b/29128170 Change-Id: I14e8b8594902951fe0b94c9ce13baa2c4d7b9e6e --- toolbox/Android.mk | 1 - toolbox/ioctl.c | 182 --------------------------------------------- 2 files changed, 183 deletions(-) delete mode 100644 toolbox/ioctl.c diff --git a/toolbox/Android.mk b/toolbox/Android.mk index ba04364b3..feeffda57 100644 --- a/toolbox/Android.mk +++ b/toolbox/Android.mk @@ -32,7 +32,6 @@ BSD_TOOLS := \ OUR_TOOLS := \ getevent \ - ioctl \ log \ nandread \ newfs_msdos \ diff --git a/toolbox/ioctl.c b/toolbox/ioctl.c deleted file mode 100644 index 093e467de..000000000 --- a/toolbox/ioctl.c +++ /dev/null @@ -1,182 +0,0 @@ -/* - * Copyright (c) 2008, The Android Open Source Project - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * * Neither the name of Google, Inc. nor the names of its contributors - * may be used to endorse or promote products derived from this - * software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS - * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED - * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, - * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT - * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -static void usage() { - fprintf(stderr, "%s [-l ] [-a ] [-rdh] \n" - " -l Length of io buffer\n" - " -a Size of each argument (1-8)\n" - " -r Open device in read only mode\n" - " -d Direct argument (no iobuffer)\n" - " -h Print help\n", getprogname()); - exit(1); -} - -static int xstrtoi(const char* s, const char* what) { - char* endp; - errno = 0; - long result = strtol(s, &endp, 0); - if (errno != 0 || *endp != '\0') { - error(1, errno, "couldn't parse %s '%s'", what, s); - } - if (result > INT_MAX || result < INT_MIN) { - error(1, errno, "%s '%s' out of range", what, s); - } - return result; -} - -int ioctl_main(int argc, char* argv[]) { - int read_only = 0; - int length = -1; - int arg_size = 4; - int direct_arg = 0; - - void *ioctl_args = NULL; - uint8_t *ioctl_argp; - uint8_t *ioctl_argp_save = NULL; - int rem; - - int c; - while ((c = getopt(argc, argv, "rdl:a:h")) != -1) { - switch (c) { - case 'r': - read_only = 1; - break; - case 'd': - direct_arg = 1; - break; - case 'l': - length = xstrtoi(optarg, "length"); - break; - case 'a': - arg_size = xstrtoi(optarg, "argument size"); - break; - case 'h': - usage(); - break; - default: - error(1, 0, "invalid option -%c", optopt); - } - } - - if (optind + 2 > argc) { - usage(); - } - - const char* device = argv[optind]; - int fd; - if (strcmp(device, "-") == 0) { - fd = STDIN_FILENO; - } else { - fd = open(device, read_only ? O_RDONLY : (O_RDWR | O_SYNC)); - if (fd == -1) { - error(1, errno, "cannot open %s", argv[optind]); - } - } - optind++; - - // IOCTL(2) wants second parameter as a signed int. - // Let's let the user specify either negative numbers or large positive - // numbers, for the case where ioctl number is larger than INT_MAX. - errno = 0; - char* endp; - int ioctl_nr = UINT_MAX & strtoll(argv[optind], &endp, 0); - if (errno != 0 || *endp != '\0') { - error(1, errno, "couldn't parse ioctl number '%s'", argv[optind]); - } - optind++; - - if(direct_arg) { - arg_size = 4; - length = 4; - } - - if(length < 0) { - length = (argc - optind) * arg_size; - } - if(length) { - ioctl_args = calloc(1, length); - - ioctl_argp_save = ioctl_argp = ioctl_args; - rem = length; - while (optind < argc) { - uint64_t tmp = strtoull(argv[optind], NULL, 0); - if (rem < arg_size) { - error(1, 0, "too many arguments"); - } - memcpy(ioctl_argp, &tmp, arg_size); - ioctl_argp += arg_size; - rem -= arg_size; - optind++; - } - } - printf("sending ioctl 0x%x", ioctl_nr); - rem = length; - while(rem--) { - printf(" 0x%02x", *ioctl_argp_save++); - } - printf(" to %s\n", device); - - int res; - if(direct_arg) - res = ioctl(fd, ioctl_nr, *(uint32_t*)ioctl_args); - else if(length) - res = ioctl(fd, ioctl_nr, ioctl_args); - else - res = ioctl(fd, ioctl_nr, 0); - if (res < 0) { - free(ioctl_args); - error(1, errno, "ioctl 0x%x failed (returned %d)", ioctl_nr, res); - } - - if (length) { - printf("return buf:"); - ioctl_argp = ioctl_args; - rem = length; - while(rem--) { - printf(" %02x", *ioctl_argp++); - } - printf("\n"); - } - free(ioctl_args); - close(fd); - return 0; -}