Souldn't it also work, if /proc/version" is read from an other process into buffer?

[sebeka]

Just for understanding,

you open (proc-)file "/proc/version" and to get one bit of output you read 10000 times 256bit of it (always at the same position)
(void) pread(fd, buf, sizeof(buf), 0);

I don't understand it completly, but I mean reading a file while opening it, is no big deal.
Should it not also work, if /proc/version is read for some seconds by an other process?
I put the read file stuff into an other file and recompiled both. With running read process I started
./run.sh but I only get:
ffffffffbbe00060 = 0
ffffffffbbe00061 = 0
ffffffffbbe00062 = 0
...

[paboldin]

Should it not also work, if /proc/version is read for some seconds by an other process

I'm not sure and must be depending on the environment.

I put the read file stuff into an other file and recompiled both

I can't tell without the source code.

[sebeka]

As quick example, something like:
comment lines 163 to 167:
ret = pread(fd, buf, sizeof(buf), 0);
if (ret < 0) {
perror("pread");
break;
}

and in an other terminal run:

while [ 1 ]; do cat /proc/version > /dev/null; done

Maybe I miss understood the whole thing but in my opinion the code is accessing data for which it has permission anyways. Is it possible to output /proc/version without
fd = open("/proc/version", O_RDONLY);
in the same process?

So thanks for your test, but I don't get it at the moment.

[paboldin]

The kernel has the access to this memory, but not the userspace. But userspace can "read" it via cache accesses.

Try playing with processes affinities. Maybe try change the criteria of the success (I believe checking that hist[i] > 2 may be enough). Try enabling debug and show the results again.

[sebeka]

OK, I played with the thresholds
Now, even with reading /proc/version in a C loop and enabling DEBUG:
#ifdef DEBUG
for (i = 0; i < BITS_BY_READ; i++) {
if (hist[i] > 0)
printf("addr %lx hist[%x] = %d\n", addr, i, hist[i]);
}
#endif
There are only zeros.

Maybe, it is really some timing problem. Secondly I changed your original code, but while reading one bit, I load the file only once in buf, there are already random changes/mistakes in output.
So could be hard to exploit the bug in real world. Maybe it is also very cpu / architecture depending as you told.
Tried on "Intel(R) Core(TM) i5-4670 CPU @ 3.40GHz"
(your given example is working fine)

[paboldin]

I updated the code, it now reads whole bytes and uses a different approach to see what is the value read (a histogram).

If you read the /proc/version and run new code it from the same CPU it should work (use taskset). Don't forget to disable the pread().

$ cat readversion.c 

#include <unistd.h>
#include <fcntl.h>

int main()
{
	char buf[256];
	int fd;

	fd = open("/proc/version", O_RDONLY);
	while (1)
		(void) pread(fd, buf, sizeof(buf), 0);
	close(fd);
}

[paboldin]

@sebeka Please, next time just show the code by forking original and commiting in your fork. It is easy and it improves sociability. Git is a wonderful thing for this ability.