| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 6 Mar 2015 17:13:26 -0800
From: Christophe Hauser <christophe@...ucsb.edu>
To: Robert Święcki <robert@...ecki.net>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Partial pointer leaks
On Thu, Mar 05, 2015 at 10:42:15AM -0800, Robert Święcki wrote:
> I'm not sure if that's what you look for, but certain perf operations
> leak one or two addresses from the kernel space in the default Ubuntu
> configuration. It's possible to write a short PoC, but it might take a
> few mins, instead feel free to to compile and use
> https://code.google.com/p/honggfuzz/source/checkout - which serves
> other purpose, but uses perf as well. This behavior could be well by
> design though, I haven't checked yet.
>
> It will only work under newer Intel CPUs BTW.
>
> $ ~/src/honggfuzz/honggfuzz -n1 -N1 -d4 -s -Dp -- /bin/true | cut -f9
> -d" " | grep ffffffff | sort | uniq
> 0xffffffff8178ad82
> 0xffffffff8178ba47
>
> # Remove the last 4 bits here
> $ sudo grep ffffffff8178ad8. /boot/System.map-3.16.0-31-generic
> ffffffff8178ad85 t sysret_careful
>
> $ sudo grep ffffffff8178ba47 /boot/System.map-3.16.0-31-generic
> ffffffff8178ba47 T native_irq_return_iret
>
> HTH
Hi Robert,
thank you, this is very interesting and seems to be one potential
occurrence of what I am looking for.
Nice tool by the way !
--
Christophe
Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists