[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Intel CPU bug forcing page table switch during syscalls?

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Intel CPU bug forcing page table switch during syscalls?
From: Pavel Machek <pavel@xxxxxx>
Date: Wed, 3 Jan 2018 22:31:29 +0100

Hi!

It looks like there's Intel CPU bug, allowing prefetch from kernel
memory. It seems to be reason KASLR patches are pushed so fast to Linux.

https://mobile.twitter.com/brainsmoke/status/948561799875502080/photo/1
https://forums.freebsd.org/threads/63955/page-2#post-371276

Hmm.

Does that mean we can do

   u16 *peek_addr = <somewhere into kernel>;
   char cacheline1[64];
   char cacheline2[64];

   wbinvd();

   if (*peek_addr == 0x1234)
      (volatile char *) cacheline1[0];
   else
      (volatile char *) cacheline2[0];

Thread will certainly die to SIGSEGV here, but from other thread we
should be able to tell if cacheline1 or cacheline2 is in cache... and
therefore read unreadable memory....?

                                                                        Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) 
http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

Attachment: signature.asc
Description: Digital signature

Prev by Date: [security bulletin] MFSBGN03793 rev.2 - Project and Portfolio Management Center, Multiple vulnerabilities
Next by Date: Re "Intel responds to security research findings"
Previous by thread: [security bulletin] MFSBGN03793 rev.2 - Project and Portfolio Management Center, Multiple vulnerabilities
Next by thread: Re "Intel responds to security research findings"
Index(es):
- Date
- Thread