I am trying to reproduce a microarchitectural attack on SGX enclave described here. while doing so in one of the ioctl command (CACHEZOOM_IOCTL_TEST) I get the BUG: ble to handle kernel NULL pointer dereference at 0000000000000040.
The handler for the ioctl command(CACHEZOOM_IOCTL_TEST) calls inline assembly macros PRIME and PROBE which I have boiled down the problem might be. The PRIME macro should fill all available L1 data cache with dummy data. PROBE should try to reaccess the dummy data and record the timing using rdtsc. Also the process is restricted to only one CPU core with taskset so all of this runs in only one core.
I have attached code snippets for the ioctl command handler and two inline assembly macros:
static long cachezoom_ioctl_test(struct file *filep, unsigned int cmd, unsigned long arg){ register int _CURRENT_SET_; printk(KERN_ALERT "_SPY_POINTER_LIST_: %p",_SPY_POINTER_LIST_); asm(".align 64"); for(_CURRENT_SET_ = 0; _CURRENT_SET_ < CPU_L1_CACHE_SET_COUNT; _CURRENT_SET_++) prime(_SPY_POINTER_LIST_, _CURRENT_SET_); printk(KERN_ALERT "Test Hello2"); asm volatile(".align 64"); for(_CURRENT_SET_ = 0; _CURRENT_SET_ < CPU_L1_CACHE_SET_COUNT; _CURRENT_SET_++) probe(_SPY_POINTER_LIST_, _CURRENT_SET_); for(_CURRENT_SET_ = 0; _CURRENT_SET_ < CPU_L1_CACHE_SET_COUNT; _CURRENT_SET_++) printk(KERN_ALERT "%d: %d\n", _CURRENT_SET_, *(_SPY_POINTER_LIST_ + idx0(_CURRENT_SET_) + 2)); printk("............................................................\n"); return 0;} inline assembly code:
#define idx(_line, _set) ( (0b1000000000000 * (_line)) / 8 + ((8 * (_set))))#define idx0(_set) (8 * (_set))#define \prime(_table, _set)({\ do {\ register uint16_t delta;\ asm volatile(\ "mfence;"\"mov (%%rbx), %%rbx;"\"mov (%%rbx), %%rbx;"\"mov (%%rbx), %%rbx;"\"mov (%%rbx), %%rbx;"\"mov (%%rbx), %%rbx;"\"mov (%%rbx), %%rbx;"\"mov (%%rbx), %%rbx;"\"mov (%%rbx), %%rbx;"\ : \ : [_itr] "b" (_table + idx(0, _set))\ );\ } while(0);\})#define PRIME prime(_SPY_POINTER_LIST_, _CURRENT_SET_); _CURRENT_SET_++#define PRIME_2 PRIME; PRIME#define PRIME_4 PRIME_2; PRIME_2#define PRIME_8 PRIME_4; PRIME_4#define PRIME_16 PRIME_8; PRIME_8#define PRIME_32 PRIME_16; PRIME_16#define PRIME_64 PRIME_32; PRIME_32/* rdtsc -- Loads the current value of the processor's time-stamp counter into the EDX:EAX registers */ #define \probe(_table, _set)({\ do {\ register uint32_t delta;\ asm volatile(\"mov %%rax, %%r10;"\"mfence;"\"rdtsc;"\"mov %%eax, %%ecx;"\"mov (%%rbx), %%rbx;"\"mov (%%rbx), %%rbx;"\"mov (%%rbx), %%rbx;"\"mov (%%rbx), %%rbx;"\"mov (%%rbx), %%rbx;"\"mov (%%rbx), %%rbx;"\"mov (%%rbx), %%rbx;"\"mov (%%rbx), %%rbx;"\"lfence;"\"rdtsc;"\"sub %%rax, %%rcx;"\"mov %%r10, %%rax;"\"neg %%rcx;"\ : "=c" (delta)\ : [_itr] "b" (_table + idx(7, _set) + 1)\ );\ if(delta > 0xff)\ *((char*)(_table + idx0(_set) + 2)) = 0xff;\ else\ *((char*)(_table + idx0(_set) + 2)) = delta;\ } while(0);\})#define PROBE probe(_SPY_POINTER_LIST_, _CURRENT_SET_); _CURRENT_SET_++#define PROBE_2 PROBE; PROBE#define PROBE_4 PROBE_2; PROBE_2#define PROBE_8 PROBE_4; PROBE_4#define PROBE_16 PROBE_8; PROBE_8#define PROBE_32 PROBE_16; PROBE_16#define PROBE_64 PROBE_32; PROBE_32I do not exactly understand the line of code
[_itr] "b" (_table + idx(0, _set))what does this do? Is it responsible for the bug?
The output of dmesg is as follows:
[ 3016.901674] _SPY_POINTER_LIST_: 00000000720f7f73[ 3016.901680] BUG: unable to handle kernel NULL pointer dereference at 0000000000000040[ 3016.901686] IP: cachezoom_ioctl_test+0x71/0x160 [cachezoom_kernel][ 3016.901687] PGD 0 P4D 0 [ 3016.901689] Oops: 0000 [#11] SMP PTI