Meltdown Exploit / Proof-of-concept / checks whether system is affected by Variant 3: rogue data cache load (CVE-2017-5754), a.k.a MELTDOWN.
Home Page: https://meltdownattack.com/
License: BSD 2-Clause "Simplified" License
Hello,
In xbegin and xend functions, this program uses some older i386 instructions. For a proper x64-based CPU, if there's an alternative implementation won't it be better to use them instead?
For example, if we define the architecture (e.g. 64-bit) then run 64-bit instruction otherwise fallback to i386 one.
When getting the message above, does this mean that the CPU isn't affected or that Am-I-affected-by-Meltdown not able to check? I presume the latter from the note in README.md, but I figured I'd better check.
Tried to run it:
root@5b51e04d92df:/Am-I-affected-by-Meltdown# ./meltdown-checker
Unable to find symbol sys_call_table in symbol map. Aborting...Aborted
Not sure what that means.
In ac2c435, if meltdown-checker reads all-zero values, it will print out a "match" to whatever the first all-zero symbol is, but then follow this up with so far so good.
$ sudo ./meltdown-checker
Checking whether system is affected by Variant 3: rogue data cache load (CVE-2017-5754), a.k.a MELTDOWN ...
Checking syscall table (sys_call_table) found at address 0xffffffff81801400 ...
0xff10000000000000 -> That's unknown
so far so good...
0x0000110000000000 -> That's unknown
so far so good...
0x0000000000000000 -> That's irq_stack_union
so far so good...
0x0000000000000000 -> That's irq_stack_union
so far so good...
0xff00830000000000 -> That's unknown
so far so good...
I think that "matches" to zero values should probably be ignored. The technical paper explains that there's a bias towards reading zeroes. It appears to be a rather pronounced one on at least one of my cloud boxes.
My box runs a custom-built Gentoo hardened monolithic kernel with most GRSEC protections enabled (so root doesn't see /proc/kallsyms), but no SELinux or other MAC. It also does not have /boot mounted while running (because i have KASLR enabled).
I already know from Intel's list of affected CPU that my Ivybridge i7 exhibits the behaviour, that is exploited by Meltdown.
But it would be nice to know, whether exploiting the bug on my system would need a tailored exploit in practice or if a further improved generic exploit could do it.
Hello,
I get an "illegal hardware instruction" when running this on Debian 8.
Linux *snip* 4.9.0-0.bpo.5-amd64 #1 SMP Debian 4.9.65-3+deb9u2~bpo8+1 (2017-01-05) x86_64 GNU/Linux
Strace output:
$ strace ./meltdown-checker
execve("./meltdown-checker", ["./meltdown-checker"], [/* 24 vars */]) = 0
brk(0) = 0x159f000
brk(0x15a0200) = 0x15a0200
arch_prctl(ARCH_SET_FS, 0x159f8c0) = 0
uname({sys="Linux", node="graveyard", ...}) = 0
readlink("/proc/self/exe", "/home/*snip*/meltdown-checke"..., 4096) = 33
brk(0x15c1200) = 0x15c1200
brk(0x15c2000) = 0x15c2000
--- SIGILL {si_signo=SIGILL, si_code=ILL_ILLOPN, si_addr=0x459778} ---
+++ killed by SIGILL +++
zsh: illegal hardware instruction strace ./meltdown-checker
Gdb:
Starting program: /home/*snip*/meltdown-checker
Program received signal SIGILL, Illegal instruction.
0x0000000000459778 in std::ctype<wchar_t>::_M_initialize_ctype() ()
(gdb) bt
#0 0x0000000000459778 in std::ctype<wchar_t>::_M_initialize_ctype() ()
#1 0x0000000000424cee in std::locale::_Impl::_Impl(unsigned long) ()
#2 0x0000000000425654 in std::locale::_S_initialize_once() ()
#3 0x0000000000425756 in std::locale::locale() ()
#4 0x0000000000420741 in std::ios_base::Init::Init() ()
#5 0x00000000004197ba in __static_initialization_and_destruction_0(int, int) ()
#6 0x0000000000419825 in _GLOBAL__sub_I_meltdown_checker.cc ()
#7 0x00000000004fa7ec in __libc_csu_init ()
#8 0x00000000004fa00d in __libc_start_main ()
#9 0x000000000041837a in _start ()
Hi,
Thanks for this tool. Unfortunately I can't make it compile. Can you advise on below?
$ cat /etc/os-release
NAME="Arch Linux"
..
$ uname -a
Linux linodeplz 4.14.8-1-ec2 #1 SMP Wed Dec 20 23:21:01 PST 2017 x86_64 GNU/Linux
$ gcc -v
Using built-in specs.
COLLECT_GCC=/usr/bin/gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-pc-linux-gnu/7.2.1/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: ...
Thread model: posix
gcc version 7.2.1 20171021 (GCC)
$ make
g++ -I. --std=c++11 -O0 --no-pie -mrtm -c -o meltdown_checker.o meltdown_checker.cc
g++ -I. --std=c++11 -O0 --no-pie -mrtm -o meltdown-checker meltdown_checker.o
/usr/bin/ld: meltdown_checker.o: relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Nonrepresentable section on output
collect2: error: ld returned 1 exit status
make: *** [Makefile:9: meltdown-checker] Error 1
(gdb) r
Starting program: /home/user/Am-I-affected-by-Meltdown-master/meltdown-checker
error in line: (null) A irq_stack_union
Program received signal SIGABRT, Aborted.
0x00007ffff716b860 in raise () from /usr/lib/libc.so.6
# make
g++ -I. --std=c++11 -O0 --no-pie -fPIC -mrtm -DHAS_COMPILER_RTM_SUPPORT -c -o meltdown_checker.o meltdown_checker.cc
meltdown_checker.cc: In function ‘void transaction_trap_mitigation(int, siginfo_t*, void*)’:
meltdown_checker.cc:82:32: error: ‘REG_RIP’ was not declared in this scope
context->uc_mcontext.gregs[REG_RIP] = (uintptr_t)__speculative_byte_load_exit;
^~~~~~~
meltdown_checker.cc: In function ‘bool validate_syscall_table_entry(const void*, const std::unordered_map<unsigned int, std::__cxx11::basic_string<char> >&)’:
meltdown_checker.cc:165:57: error: invalid cast from type ‘uint64_t {aka long long unsigned int}’ to type ‘uintptr_t {aka unsigned int}’
uintptr_t ptr = reinterpret_cast<uintptr_t>(entry[0]);
^
Makefile:12: recipe for target 'meltdown_checker.o' failed
gcc version 6.3.0 20170516 (Debian 6.3.0-18), Debian 9.3
Do you have plans to implement more OS-es than Linux?
Linux version 3.16.0-4-amd64
CPU: i7-4790
`
compiling latest commit 923165e
$ make
g++ -I. --std=c++11 -O0 --no-pie -fPIC -c -o meltdown_checker.o meltdown_checker.cc
In file included from meltdown_checker.cc:49:0:
assembly_utils.hh:36:2: warning: #warning "Using native impl. of TSX due to GCC version older than 4.8. No need to worry about it!" [-Wcpp]
#warning "Using native impl. of TSX due to GCC version older than 4.8. No need to worry about it!"
^
In file included from /usr/lib/gcc/x86_64-linux-gnu/4.9/include/immintrin.h:65:0,
from /usr/lib/gcc/x86_64-linux-gnu/4.9/include/x86intrin.h:46,
from /usr/include/x86_64-linux-gnu/c++/4.9/bits/opt_random.h:33,
from /usr/include/c++/4.9/random:50,
from /usr/include/c++/4.9/bits/stl_algo.h:66,
from /usr/include/c++/4.9/algorithm:62,
from meltdown_checker.cc:41:
assembly_utils.hh:38:22: error: expected class-name before numeric constant
static constexpr int _XBEGIN_STARTED = ~0u;
^
assembly_utils.hh:38:22: error: expected ‘)’ before numeric constant
In file included from meltdown_checker.cc:49:0:
assembly_utils.hh: In function ‘int _xbegin()’:
assembly_utils.hh:41:24: error: ambiguating new declaration of ‘int _xbegin()’
inline int _xbegin(void) {
^
In file included from /usr/lib/gcc/x86_64-linux-gnu/4.9/include/immintrin.h:65:0,
from /usr/lib/gcc/x86_64-linux-gnu/4.9/include/x86intrin.h:46,
from /usr/include/x86_64-linux-gnu/c++/4.9/bits/opt_random.h:33,
from /usr/include/c++/4.9/random:50,
from /usr/include/c++/4.9/bits/stl_algo.h:66,
from /usr/include/c++/4.9/algorithm:62,
from meltdown_checker.cc:41:
/usr/lib/gcc/x86_64-linux-gnu/4.9/include/rtmintrin.h:50:1: note: old declaration ‘unsigned int _xbegin()’
_xbegin (void)
^
In file included from meltdown_checker.cc:49:0:
assembly_utils.hh: In function ‘void _xend()’:
assembly_utils.hh:48:13: error: ‘void _xend()’ redeclared inline without ‘gnu_inline’ attribute
inline void _xend(void) {
^
In file included from /usr/lib/gcc/x86_64-linux-gnu/4.9/include/immintrin.h:65:0,
from /usr/lib/gcc/x86_64-linux-gnu/4.9/include/x86intrin.h:46,
from /usr/include/x86_64-linux-gnu/c++/4.9/bits/opt_random.h:33,
from /usr/include/c++/4.9/random:50,
from /usr/include/c++/4.9/bits/stl_algo.h:66,
from /usr/include/c++/4.9/algorithm:62,
from meltdown_checker.cc:41:
/usr/lib/gcc/x86_64-linux-gnu/4.9/include/rtmintrin.h:61:1: note: ‘void _xend()’ previously defined here
_xend (void)
^
Makefile:12: recipe for target 'meltdown_checker.o' failed
make: *** [meltdown_checker.o] Error 1
$ g++ --version
g++ (Debian 4.9.2-10) 4.9.2
Copyright (C) 2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
$ uname -a
Linux debian-pc 3.16.0-4-amd64 # 1 SMP Debian 3.16.51-3 (2017-12-13) x86_64 GNU/Linux
$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 8.10 (jessie)
Release: 8.10
Codename: jessie
$
`
Worked fine yesterday, pulled the latest code and ran into this issue
/bin/sh: 1: bc: not found
g++ -I. --std=c++11 -O0 --no-pie -mrtm -fPIC -c -o meltdown_checker.o meltdown_checker.cc
In file included from meltdown_checker.cc:49:0:
assembly_utils.hh:36:2: warning: #warning "Using native impl. of TSX due to GCC version older than 4.8. No need to worry about it!" [-Wcpp]
#warning "Using native impl. of TSX due to GCC version older than 4.8. No need to worry about it!"
^
In file included from /usr/lib/gcc/x86_64-linux-gnu/5/include/immintrin.h:83:0,
from /usr/lib/gcc/x86_64-linux-gnu/5/include/x86intrin.h:46,
from /usr/include/x86_64-linux-gnu/c++/5/bits/opt_random.h:33,
from /usr/include/c++/5/random:50,
from /usr/include/c++/5/bits/stl_algo.h:66,
from /usr/include/c++/5/algorithm:62,
from meltdown_checker.cc:41:
assembly_utils.hh:38:22: error: expected class-name before numeric constant
static constexpr int _XBEGIN_STARTED = ~0u;
^
assembly_utils.hh:38:22: error: expected ‘)’ before numeric constant
In file included from meltdown_checker.cc:49:0:
assembly_utils.hh: In function ‘int _xbegin()’:
assembly_utils.hh:41:24: error: ambiguating new declaration of ‘int _xbegin()’
inline int _xbegin(void) {
^
In file included from /usr/lib/gcc/x86_64-linux-gnu/5/include/immintrin.h:83:0,
from /usr/lib/gcc/x86_64-linux-gnu/5/include/x86intrin.h:46,
from /usr/include/x86_64-linux-gnu/c++/5/bits/opt_random.h:33,
from /usr/include/c++/5/random:50,
from /usr/include/c++/5/bits/stl_algo.h:66,
from /usr/include/c++/5/algorithm:62,
from meltdown_checker.cc:41:
/usr/lib/gcc/x86_64-linux-gnu/5/include/rtmintrin.h:50:1: note: old declaration ‘unsigned int _xbegin()’
_xbegin (void)
^
In file included from meltdown_checker.cc:49:0:
assembly_utils.hh: In function ‘void _xend()’:
assembly_utils.hh:48:13: error: ‘void _xend()’ redeclared inline without ‘gnu_inline’ attribute
inline void _xend(void) {
^
In file included from /usr/lib/gcc/x86_64-linux-gnu/5/include/immintrin.h:83:0,
from /usr/lib/gcc/x86_64-linux-gnu/5/include/x86intrin.h:46,
from /usr/include/x86_64-linux-gnu/c++/5/bits/opt_random.h:33,
from /usr/include/c++/5/random:50,
from /usr/include/c++/5/bits/stl_algo.h:66,
from /usr/include/c++/5/algorithm:62,
from meltdown_checker.cc:41:
/usr/lib/gcc/x86_64-linux-gnu/5/include/rtmintrin.h:61:1: note: ‘void _xend()’ previously defined here
_xend (void)
^
Makefile:12: recipe for target 'meltdown_checker.o' failed
make: *** [meltdown_checker.o] Error 1
Fixed by installing bc
"# make
g++ -I. --std=c++11 -O0 --no-pie -fPIC -c -o meltdown_checker.o meltdown_checker.cc
In file included from meltdown_checker.cc:49:0:
assembly_utils.hh:38:2: warning: #warning "Using native impl. of TSX due to GCC version older than 4.8. No need to worry about it!" [-Wcpp]
meltdown_checker.cc: In function ‘uint8_t probe_one_syscall_table_address_byte(uintptr_t, char*, int&)’:
meltdown_checker.cc:103:44: error: aggregate ‘std::array<long unsigned int, 256ul> index_heat’ has incomplete type and cannot be defined
make: *** [meltdown_checker.o] Erreur 1"
Hi, I have a compilation error. See below for detailed explanations :-)
$ uname -v
Linux xxxx 4.12.12-gentoo #1 SMP Sat Nov 11 14:11:35 CET 2017 x86_64 Intel(R) Core(TM) i7-3520M CPU @ 2.90GHz GenuineIntel GNU/Linux
$ make 2> compile.err
g++ -I. --std=c++11 -O0 --no-pie -mrtm -fPIC -c -o meltdown_checker.o meltdown_checker.cc
$ cat compile.err
meltdown_checker.cc: Dans la fonction ‘uint8_t probe_one_syscall_table_address_byte(uintptr_t, char*)’:
meltdown_checker.cc:96:75: erreur : expected ‘,’ before ‘)’ token
static_assert(total_pages <= std::numeric_limits<uint8_t>::max()+1);
^
meltdown_checker.cc:96:75: erreur : expected string-literal before ‘)’ token
make: *** [Makefile:6: meltdown_checker.o] Error 1
Here is the error:
[root@server Am-I-affected-by-Meltdown]# ./meltdown-checker
Unable to read /proc/kallsyms. That means your system doesn't allow non-root programs to read the file.
By the time being, consider running the program as root to verify if your system is affected by Meltdown.
Aborted
[root@server Am-I-affected-by-Meltdown]# cat /proc/kallsyms | grep sys_call
0000000000000000 t proc_sys_call_handler
0000000000000000 t ret_from_sys_call
0000000000000000 T int_ret_from_sys_call
0000000000000000 t sysexit_from_sys_call
0000000000000000 t sysretl_from_sys_call
0000000000000000 t ia32_ret_from_sys_call
0000000000000000 R sys_call_table
0000000000000000 R ia32_sys_call_table
This gets me kind of confused. Why would a script running with root have problems reading a file?
gcc ver Debian 4.7.2-5
g++ -I. --std=c++11 -O0 --no-pie -mrtm -fPIC -c -o meltdown_checker.o meltdown_checker.cc
g++: error: unrecognized command line option ‘-mrtm’
make: *** [meltdown_checker.o] Error 1
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.