I am trying to implement the Meltdown vulnerability on a linux intel x86 laptop for a class demo. In the machine I am using I have nokaslr and pti=off in the kernel parameters.
I have created a kernel module that creates a global static char array called secret_array_kernel and then printk the address of this array. In my terminal I then retrieve the address using dmesg. For example 0000000054b7a361
I then take this address and copy and paste it into a program called MeltdownAttack.c that tries to find the contents of each index of this string using Meltdown.
I run the program with the given address of the array in this case 0000000054b7a361 only to find out it does not work. I repeated running the program but was unable to get it to print out the correct value once.
My first step in debugging was to create a global static char array called test similar how I did in the Kernel module but now this array lives inside of MeltdownAttack.c. I passed the address of this new array and I was able to get the contents of this array using the same functions as I tried with address of secret_array_kernel.
From what I understand in terms of virtual memory the array test lives in the processes user virtual memory, while the array secret_array_kernel lives in the processes kernel virtual memory. I know some of the Kernel Virtual Memory is Identical for each process but some is different for each process..
My kernel module looks something this
//...
static char secret[8] = {'M','Y','S','E','C','R','E','T'};
//...
static __init int test_proc_init(void)
{
// write message in kernel message buffer
printk("secret data address:%p\n", &secret);
printk("secret data value :%s\n", secret);
secret_buffer = (char*)vmalloc(8);
// create data entry in /proc
secret_entry = proc_create_data("secret_data",
0444, NULL, &test_proc_fops, NULL);
if (secret_entry) return 0;
return -ENOMEM;
}
//...
To then get the address I do
$ sudo insmod MeltdownKernel.ko
$ dmesg | grep 'secret data address'
//prints
[ 485.147336] secret data address:0000000054b7a361
I have the following questions
- I am unsure of the address given by
dmesgis the address of the array in virtual memory or physical memory (I believe it to be virtual memory). - If this address does live in virtual memory And lives in the kernel virtual memory. I am unsure if the address of the array
secret_array_kernelthat was printed out bydmesglives in the part that is identical for each processor or lives in the part that is different for each process.See image here - I am also unsure if its okay for me to use the exact same address that was given by the kernel module after I ran
dmesg. To then be used insideMeltdownAttack.c. (Do I need to put some sort of offset?)
Clearing up this will help me deduce if I either try to fix my code again or just modify the address im using.
I am sorry if I have bad grammar in the post. English is not my first language.
It is a virtual address in kernel space. Kernel virtual addresses will be the same for all processes (unless the mapping is explicitly changed). The diagram is weird, but your array is in the kernel code and data section.