tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: meltdown





On Thu, Jan 4, 2018 at 2:58 PM, Mouse <mouse%rodents-montreal.org@localhost> wrote:
> As I understand it, on intel cpus and possibly more, we'll need to
> unmap the kernel on userret, or else userland can read arbitrary
> kernel memory.

"Possibly more"?  Anything that does speculative execution needs a good
hard look, and that's damn near everything these days.

> Also, I understand that to exploit this, one has to attempt to access
> kernel memory a lot, and SEGV at least once per bit.

I don't think so.  Traps that would be taken during normal execution
are not taken during speculative execution.  The problem is, to quote
one writeup I found, "Intel CPUs are allowed to access kernel memory
when performing speculative execution, even when the application in
question is running in user memory space.  The CPU does check to see if
an invalid memory access occurs, but it performs the check after
speculative execution, not before.".  This means that things like cache
line loads can occur based on values the currently executing process
should not be able to access; timing access to data that cache-collides
with the cache lines of interest reveals the leaked bit(s).

Nowhere in there is a SEGV generated.

That's the meltdown stuff.  Spectre targets other things (I've seen
branch prediction mentioned) to leak information around protection
barriers.

I think you are confusing spectre and meltdown.

meltdown requires a sequence like:

exception (*0 = 0 or a = 1 / 0);
do speculative read

to force a trip into kernel land just before the speculative read so that otherwise not readable stuff gets (or does not get) read into cache which can then be probed for data.

spectre requires  a trip into the kernel to force execution of 

if (from-userland < boundary) { array[from-userland] <mumble }

or the branch variant.

Warner



Home | Main Index | Thread Index | Old Index