Meltdown - PoC - Reading physical address with KASLR disabled does not work

Question

Working with this PoC

Running it:

# ./secret 
[+] Secret: Sample text
[+] Virtual address of secret: 0x4af528
[+] Physical address of secret: 0x172bc3528
[+] Exit with Ctrl+C if you are done reading the secret

However reading shows nothing:

$ ./physical_reader 0x172bc3528
[+] Physical address       : 0x172bc3528
[+] Physical offset        : 0xffff880000000000
[+] Reading virtual address: 0xffff880172bc3528

I have KASLR disabled.

 BOOT_IMAGE=/boot/vmlinuz-4.4.0-93-generic root=UUID=6c2b06f8-b8dd-4117-a77e-2425b27fb749 ro quiet splash crashkernel=384M-2G:128M,2G-:256M vt.handoff=7

Reliability test works fine:

# ./reliability 
[-] Success rate: 99.40% (read 166 values)

Anybody has an idea why it cannot read the memory address from secret?

Without KASLR, physical offset will remain always 0xffff880000000000, right?

Thanks,

score 1 · Answer 1 · answered Jan 11 '18 at 15:12

OK figured it out. Based on this:

https://github.com/IAIK/meltdown#frequently-asked-questions

With 4 cores I installed and ran the stress utility:

stress -i 4

And was able to read the memory with my two PoCs I had.

Yes, the physical offset was 0xffff880000000000

Meltdown - PoC - Reading physical address with KASLR disabled does not work

1 Answers1