[Info-vax] Intel junk...Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign

[JF Mezei]

On 2018-01-05 11:57, Tim Streater wrote:

> 1) Process 2, you say, keeps flushing the CPU cache. How does it do
> this without root priv? And if it has that priv, there must be easier
> ways to get access to vital info without doing what you describe.


That is an issue which was not adressed by the Meltdown white paper. But
the transfer of data is dependent on the other process having access to
the CPU cache because that is the only way the data fetched by process 1
can be transfered to another process.

Without the cache technique, process 1 might have fetched the data it
wasn't supposed to, but that data would not have gone to a register or
to other location in memory as the exception would have stopped
everything before the instructions are committed.

The cache trick is a means for the dying process to leave breadcrumbs
that another process can pickup.

> 2) Process 1 reads from protected memory and will get an exception for
> each byte it tries to read. One supposes it has arranged recovery from
> these exceptions so it can try another byte-read. Wouldn't a prudent OS
> terminate any process that accumulates more than, say, 10 exceptions of
> this nature?


Yep. But the other way to do it is for the process itself to declare its
own exception handler so that even though the instructions are rolled
back, the process can continue with attempt to read the next byte. (this
gets into performance design to read all of the RAM).