[Info-vax] Intel junk...Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign

JF Mezei jfmezei.spamnot at vaxination.ca
Fri Jan 5 01:37:08 EST 2018 

On 2018-01-04 17:04, Tim Streater wrote:

> But AIUI, the protection isn't applied when the CPU does speculative
> instruction execution. It's unclear why, though.


The protection IS applied. But...


Here is how it works:

-read 1 byte from memory location Y (for which your process does NOT
have access) into register x.

-move "1" to my_array[x]

So normally, you'd read a value from memory, and then use that value as
an index into a 256 byte array where you then move a "1". (the rest of
the array is all zeros).


The CPU starts to process first instruction and sends the "read 1 byte
from memory at virtual location Y" request to memory subsystem. While it
waits for that to finish, it starts to preprocess the next instruction
which eventually has to wait for the value from memory to arrive.

The memory system does the virtual to physical translation, sends
request to the memory to read that byte, and then check the virtual
translation table to see if you have access to that memory.

The problem is that by the time it decides it was illegal memory access,
the request to read tyat byte has already gone to memory and will return
to internal CPU register (not to register x). The instruction will not
complete and will not store the value in register X because it goes to
the exception handler for an illegal memory access.

The problem is that the next instruction, all prepped and ready, is
allowed to go the microsecond the memory contents have been received
into the internal CPU register, and one reason for this is that it
doesn't do anything with the value (not stored elsewhere), it simply
used as an index into an array.

That array is modified by that second instruction, but it only goes as
far as the cache and not to RAM before the exception handler runs things
down and undoes the instructions.

Here is the trick:  a second process keeps flushing the CPU's cache and
checking for changes. When process 1 changes the array, even though it
doesn't go to RAM, it is visivble in the cache and second process sees
that the 57th byte in array has been modified with a "1". This means
that the value read fron kernel memory was 57.

You need to repeat that for every byte read.

More information about the Info-vax mailing list