search

vulgatecn / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Rowhammer: Linux kernel privilege escalation PoC #283

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
The issue is a placeholder for the PoC for a working Linux privilege escalation 
for the "rowhammer" DRAM vulnerability.

Original issue reported on code.google.com by cev...@google.com on 9 Mar 2015 at 3:23

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 9 Mar 2015 at 4:02

GoogleCodeExporter commented 9 years ago 
hey guys. Is there guy success this test?
I failed compile.

Original comment by william....@gmail.com on 11 Mar 2015 at 9:13

GoogleCodeExporter commented 9 years ago 
[deleted comment]
GoogleCodeExporter commented 9 years ago 
[deleted comment]
GoogleCodeExporter commented 9 years ago 
I tried running the full demo "run.sh" ( have to run it "sudo" to use KVM), but 
it hangs in "qemu_runner.py", waiting for input to the ReadLines() function.

When I get bored and break out of it, it reports this:
----%>< snip----
...
pte_pages=913408, pte_size=3568 MB, rate=44.5 MB/sec
Running target executable...
Hello world -- in innocent program
Test mode: Flipping bit at address b0702100...
  before:  val=0x8000000057b32027
  after:   val=0x8000000057a32027
  Changed bit 20 to 0
Searching for modified PTE...
  Found at index 0xdf23e20
  In page table 15 (out of 16 per mmap())
  Entry 0 contains 0x0
  Entry 32 contains 0x800000005c329027
Modifying PTE...
Searching for page that uses this PTE...
  Found at index 0xbdc7601
  Points to 0xf000ff53f000ff53
Running target executable...
Escape!

Test mode: Cleaning up: Undoing bit flip
Test mode: Flipping bit at address b0702100...
  before:  val=0x8000000057a32067
  after:   val=0x8000000057b32067
  Changed bit 20 to 1
** exited with status 0 (0x0)
^Cqemu: terminating on signal 2
Traceback (most recent call last):
  File "qemu_runner.py", line 57, in <module>
    Main()
  File "qemu_runner.py", line 45, in Main
    for line in ReadLines(os.fdopen(read_fd, 'r')):
  File "qemu_runner.py", line 11, in ReadLines
    ch = stream.read(1)
KeyboardInterrupt

Original comment by prof.mon...@gmail.com on 14 Mar 2015 at 3:37

GoogleCodeExporter commented 9 years ago 
Hey, prof,mon...
What is your machine(OS, RAM)?

Original comment by william....@gmail.com on 16 Mar 2015 at 3:15

GoogleCodeExporter commented 9 years ago 
> #6 william....@gmail.com
> Hey, prof,mon...
> What is your machine(OS, RAM)?

I built a Linux kernel, 3.19.1, with pretty much stock options except for 
disabling CONFIG_STRICT_DEVMEM (also turned off Bluetooth).  Ran it in a VM on 
a Ubuntu 14.04 physical host w/ 6GB of RAM.  If I understand the 
"qemu_runner.py" script correctly, it gave the VM 4000 megabytes of memory.

Original comment by bloomu.p...@gmail.com on 16 Mar 2015 at 8:41

GoogleCodeExporter commented 9 years ago 
> Running target executable...
> Escape!

That shows that the exploit worked -- the test passed.

Original comment by mseaborn@chromium.org on 16 Mar 2015 at 3:41

GoogleCodeExporter commented 9 years ago 
This doesn't have payload, right?

Original comment by rehiz...@gmail.com on 16 Mar 2015 at 10:27

GoogleCodeExporter commented 9 years ago 
@comment #9: The proof-of-concept code linked above just overwrites a test 
executable with code that calls write() and then _exit().  It's a trivial 
payload, for test purposes, but it wouldn't be difficult to modify it to call 
execve() instead.

Original comment by mseaborn@chromium.org on 16 Mar 2015 at 10:35