On Thu, Jan 4, 2018 at 10:44 AM, R0b0t1 <r03...@gmail.com> wrote: > > I am still working through the information myself, but it looks like > BPF filters are an easy way to make sure you have something to look > for in kernelspace.
My understanding is that for exploit 1 to work you need to have the kernel execute some code for you, and BPF is a way to do that because it is a JIT compiler. The bits about finding where BPF is in kernelspace is for exploit 2, which requires branching into that code, which requires knowing its address. > On Thu, Jan 4, 2018 at 9:44 AM, R0b0t1 <r03...@gmail.com> wrote: >> But, if they do, > > then AMD processors are susceptible in the same way, and the issue can > not be fixed. There are some news pieces and commenters claiming that > AMD processors suffer similar issues. AMD published this: https://www.amd.com/en/corporate/speculative-execution This tends to go along with Google's statement that AMD is vulnerable to variant 1, but not 2 or 3. There is plenty of speculation going on with the hazy info that was provided, but none of the original sources suggest that AMD is vulnerable to variant 3. For variants 1/2 Google says that AMD is susceptible to only 1, and the white paper says that they're vulnerable to either 1/2 but they don't say which specifically. In any case, short of somebody publishing actual exploit code so that people can run their own tests, I'm going to go with AMD. Nobody reputable is outright contradicting their statements. For variant 1 the only known vulnerability is BPF which probably next to nobody uses, and for variant 2 there really aren't any alternatives available right now anyway. -- Rich