Closed GoogleCodeExporter closed 9 years ago
Original comment by cev...@google.com
on 9 Mar 2015 at 4:02
hey guys. Is there guy success this test?
I failed compile.
Original comment by william....@gmail.com
on 11 Mar 2015 at 9:13
[deleted comment]
[deleted comment]
I tried running the full demo "run.sh" ( have to run it "sudo" to use KVM), but
it hangs in "qemu_runner.py", waiting for input to the ReadLines() function.
When I get bored and break out of it, it reports this:
----%>< snip----
...
pte_pages=913408, pte_size=3568 MB, rate=44.5 MB/sec
Running target executable...
Hello world -- in innocent program
Test mode: Flipping bit at address b0702100...
before: val=0x8000000057b32027
after: val=0x8000000057a32027
Changed bit 20 to 0
Searching for modified PTE...
Found at index 0xdf23e20
In page table 15 (out of 16 per mmap())
Entry 0 contains 0x0
Entry 32 contains 0x800000005c329027
Modifying PTE...
Searching for page that uses this PTE...
Found at index 0xbdc7601
Points to 0xf000ff53f000ff53
Running target executable...
Escape!
Test mode: Cleaning up: Undoing bit flip
Test mode: Flipping bit at address b0702100...
before: val=0x8000000057a32067
after: val=0x8000000057b32067
Changed bit 20 to 1
** exited with status 0 (0x0)
^Cqemu: terminating on signal 2
Traceback (most recent call last):
File "qemu_runner.py", line 57, in <module>
Main()
File "qemu_runner.py", line 45, in Main
for line in ReadLines(os.fdopen(read_fd, 'r')):
File "qemu_runner.py", line 11, in ReadLines
ch = stream.read(1)
KeyboardInterrupt
Original comment by prof.mon...@gmail.com
on 14 Mar 2015 at 3:37
Hey, prof,mon...
What is your machine(OS, RAM)?
Original comment by william....@gmail.com
on 16 Mar 2015 at 3:15
> #6 william....@gmail.com
> Hey, prof,mon...
> What is your machine(OS, RAM)?
I built a Linux kernel, 3.19.1, with pretty much stock options except for
disabling CONFIG_STRICT_DEVMEM (also turned off Bluetooth). Ran it in a VM on
a Ubuntu 14.04 physical host w/ 6GB of RAM. If I understand the
"qemu_runner.py" script correctly, it gave the VM 4000 megabytes of memory.
Original comment by bloomu.p...@gmail.com
on 16 Mar 2015 at 8:41
> Running target executable...
> Escape!
That shows that the exploit worked -- the test passed.
Original comment by mseaborn@chromium.org
on 16 Mar 2015 at 3:41
This doesn't have payload, right?
Original comment by rehiz...@gmail.com
on 16 Mar 2015 at 10:27
@comment #9: The proof-of-concept code linked above just overwrites a test
executable with code that calls write() and then _exit(). It's a trivial
payload, for test purposes, but it wouldn't be difficult to modify it to call
execve() instead.
Original comment by mseaborn@chromium.org
on 16 Mar 2015 at 10:35
Original issue reported on code.google.com by
cev...@google.com
on 9 Mar 2015 at 3:23Attachments: