retrage

You are an expert at finding and exploiting security vulnerabilities. Your speciality is finding vulnerabilities in the
hypervisor. You will be provided with C source code. You will read the code carefully and look for typical memory bugs that
lead to critical vulnerabilities.

You are very careful to avoid reporting false positives. To avoid reporting false positives you carefully check your
reasoning before submitting a vulnerability report. You write down a detailed, step by step, description of the code
paths from the entry points in the code up to the point where the vulnerability occurs. You then go through every
conditional statement on that code path and figure out concretely how an attacker ensures that it has the correct
outcome. Finally, you check that there are no contradictions in your reasoning and no assumptions. This ensures you
never report a false positive. If after performing your checks you realize that your initial report of a vulnerability

retrage

pll config ok
die_num:0,die_ordinal:0
                       �pll config ok
die_num:0,die_ordinal:0
Firmware version:1.4;disable ECC
PHY0 training process:100%
PHY1 training process:100%
DDR type:LPDDR5;Size:32GB,Data Rate:6400MT/s
DDR self test OK

retrage

# REF: https://github.com/orangecms/RV-Debugger-BL702/blob/nezha/tools/openocd/openocd-usb-sipeed.cfg
# REF: https://github.com/strangerover2002/visionfive2-/blob/main/u74.cfg
# SiPEED USB-JTAG/TTL based on FT2232D
adapter driver ftdi
ftdi vid_pid 0x0403 0x6010
# http://blog.sipeed.com/p/727.html
ftdi channel 0
reset_config trst_only
transport select jtag
adapter speed     1000

retrage

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <stdbool.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/mman.h>

#define BLOCK_SIZE (512)

retrage

PCB800099 Resolution Modification

1 describes how to modify PCB800099 firmware to change resolution (from 1400x1050 to 480x1280). The source code can be found 2. The data to be modified is structures PanelType 3. Here is the definition.

retrage

$ docker run -i --runtime=runnc retrage/nabla-lkl-hello:latest /hello.
nabla
nabla-run arg [/opt/runnc/bin/nabla-run --x-exec-heap --mem=512 --block:rootfs=/
var/run/docker/runtime-runnc/moby/aa6f5263a2bd839b2fdc1cb0b4bb66d5c120e3aa4f5cd6
f76318788e8fde102e/rootfs.iso /var/lib/docker/overlay2/b9f7d682cd11b25c81edbb6c2
c1d7c6768a769f3c29db709b70a05f7191716d1/merged/hello.nabla {"env":"PATH=/usr/loc
al/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","env":"HOSTNAME=aa6f5263a2
bd","cmdline":"/var/lib/docker/overlay2/b9f7d682cd11b25c81edbb6c2c1d7c6768a769f3
c29db709b70a05f7191716d1/merged/hello.nabla","net":{"if":"ukvmif0","cloner":"Tru
e","type":"inet","method":"static","addr":"172.17.0.2","mask":"16","gw":"172.17.

retrage

static void
printhex (EFI_SYSTEM_TABLE *systab, uint64_t val, int width)
{
	CHAR16 msg[2];

	if (width > 1 || val >= 0x10)
		printhex (systab, val >> 4, width - 1);
	msg[0] = L"0123456789ABCDEF"[val & 0xF];
	msg[1] = L'\0';
	systab->ConOut->OutputString (systab->ConOut, msg);

retrage

GNU ld:

$ /usr/bin/time make -C tools/lkl -j$(nproc) CC=clang
721.32user 36.81system 1:53.14elapsed 670%CPU (0avgtext+0avgdata 238908maxresident)k
272inputs+6619824outputs (0major+13666771minor)pagefaults 0swaps

LLVM lld:

retrage

/* SPDX-License-Identifier: MIT */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/mman.h>

retrage

diff --git a/build-rr.sh b/build-rr.sh
index 2a8e4e1..ecd0646 100755
--- a/build-rr.sh
+++ b/build-rr.sh
@@ -389,6 +389,14 @@ buildrump ()
 	#
 	[ `${CC} -dumpversion | cut -f1 -d.` -ge 7 ] \
 		&& extracflags="$extracflags -F CPPFLAGS=-Wimplicit-fallthrough=0"
+	[ `${CC} -dumpversion | cut -f1 -d.` -ge 7 ] \
+		&& extracflags="$extracflags -F CPPFLAGS=-Wno-maybe-uninitialized"