From c9f89af6aec6e87f8e3f5effc24e718bf4d6ffab Mon Sep 17 00:00:00 2001 From: eduardo Date: Tue, 5 Dec 2023 02:54:36 +0100 Subject: [PATCH] fix typo --- pocs/cpus/reptar/minimized/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pocs/cpus/reptar/minimized/README.md b/pocs/cpus/reptar/minimized/README.md index f3c66154..2c15c78c 100644 --- a/pocs/cpus/reptar/minimized/README.md +++ b/pocs/cpus/reptar/minimized/README.md @@ -9,7 +9,7 @@ You can build them all simply by running `make`. Building the code requires `nas - **reptar.align.elf.asm**: This is a more reliable reproducer that triggers an error on the first iteration. The `clflush` and the reptar instruction need to be on different 16 byte windows. This could be related to the instruction decoder working on 16 byte instructions at a time. - **reptar.boot.bin.asm**: Same as align, but instead intended to be ran from a VM using KVM. `qemu-system-x86_64 --enable-kvm -fda reptar.boot.bin`. - **reptar.xlat.elf.asm**: This is similar to `reptar.align.elf.asm` but generates tracing information on the syscalls it executes, so that when the program enters at a different register location, it is possible to observe the consequences. Pause will freeze the process, exit will pass `AL` as the exit code and yield will simply leave the latest `RIP` on `RCX`. -- **reptar.spec.elf.asm**: This is a test used to check if the bug works under speculation. It's setup similar to `reptar.align.elf.asm` but only runs a few iterations and prints the speed at which it's able to access memory. During the "loop" generated by the bug, we access specific parts of memory which would also happen if the bug executed speculatively. Run the code as `./reptar.spec.elf | od -i`. If speculation worked, you would see multiple "short" (<200 cycles) accesses and if it didn't work, you will only see one. +- **reptar.spec.elf.asm**: This is a test used to check if the bug works under speculation. Its setup similar to `reptar.align.elf.asm` but only runs a few iterations and prints the speed at which its able to access memory. During the "loop" generated by the bug, we access specific parts of memory which would also happen if the bug executed speculatively. Run the code as `./reptar.spec.elf | od -i`. If speculation worked, you would see multiple "short" (<200 cycles) accesses and if it didn't work, you will only see one. - **reptar.loopless.elf.asm**: This is an easier to modify reproducer that will also trigger the bug somewhat reliably but also allows to modify the instructions executed before and after. Note the registers that the program uses at the top. - **reptar.loop.elf.asm**: This is a more documented reproducer that explains what happens when the bug triggers and which instructions execute and which don't. Running the program on GDB should allow for quick debugging. - **reptar.vdso.bin.asm**: This is an experiment where we map ourselves just before the VDSO (you must disable ASLR first and adjust the addresses) and then make the "wrong RIP" point to the VDSO address of the time() function. As a result, the current time is stored in the address pointed to by RAX, which is then clflushed so it triggers a segfault to the current time. If we had corrupted the uop$ then we would instead expect a crash, so it appears that a long jump to the VDSO doesn't corrupt the uop$. To test try: `taskset -c 7 gdb ./reptar.vdso.bin -ex r -ex 'python import datetime;print(datetime.datetime.utcfromtimestamp(gdb.parse_and_eval("*$rdi")))' -ex 'p $rsp' -ex q` - if the uop$ was not corrupted, you should see the current date/time. If it was, we would expect a segfault when writing to `0x42` at the poisoned address.