/* * killmm.c attempts to exploit bugs in the mm to cause a crash or * other undesired behaviour. * Copyright (C) 2002 Google * Written by Ross Biro * */ #include #include #include #include #include #include #include #include /* 512 Meg */ #define BLOCKSIZE 512*1024*1024 #define USEMLOCK 1 int main(int argc, char *argv[]) { size_t memory = atoi(argv[1]); int blocks = atoi(argv[2]); int maxfiles = atoi(argv[3]); unsigned char *cptr; int i, j, k; void **ptrs = (void **)malloc(blocks * sizeof(*ptrs)); if (ptrs == NULL) { fprintf (stderr, "Unable to allocate %d bytes: %s\n", sizeof(*ptrs) * blocks, strerror(errno)); return -1; } /* The first thing we do is allocate a bunch of memory. */ cptr = (unsigned char *)malloc(memory); if (cptr == NULL) { fprintf (stderr, "Unable to allocate %d bytes: %s\n", memory, strerror(errno)); return -1; } /* now we want to make it all dirty. */ for (i = 0; i < memory; i++) { cptr[i] = (unsigned char)(i&0xff); if ((i & 0xffffff) == 0) { printf ("Initializing memory: %d\n", i); } } /* Now we have a bunch of dirty memory. Map in huge files. */ for (i = 0; i < maxfiles; i++) { char filename[1024]; int fd; int ind = i%blocks; if (ptrs[ind] != NULL) { printf ("Unmapping block %d @ %08X\n", ind, ptrs[ind]); #ifdef USEMLOCK munlock(ptrs[ind], BLOCKSIZE); #endif munmap(ptrs[ind], BLOCKSIZE); } sprintf (filename, "file%d", i); printf ("Loading file %s into slot %d\n", filename, ind); fd = open (filename, O_RDONLY); if (fd < 0) { fprintf (stderr, "Unable to open %s: %s\n", filename, strerror(errno)); return -1; } ptrs[ind] = mmap (NULL, BLOCKSIZE, PROT_READ, MAP_PRIVATE, fd, 0); if (ptrs[ind] == NULL) { fprintf (stderr, "Unable to map file %s: %s\n", filename, strerror(errno)); return -1; } #ifdef USEMLOCK if (mlock(ptrs[ind], BLOCKSIZE) < 0) { fprintf (stderr, "Unable to lock mem for %s: %s\n", filename, strerror(errno)); return -1; } #else // Page in the memory the old fashioned way. for (j = 0; j