On Thu, Jan 4, 2018 at 10:18 AM, Rich Freeman <[email protected]> wrote: > On Thu, Jan 4, 2018 at 10:44 AM, R0b0t1 <[email protected]> wrote: >> >> I am still working through the information myself, but it looks like >> BPF filters are an easy way to make sure you have something to look >> for in kernelspace. > > My understanding is that for exploit 1 to work you need to have the > kernel execute some code for you, and BPF is a way to do that because > it is a JIT compiler. > > The bits about finding where BPF is in kernelspace is for exploit 2, > which requires branching into that code, which requires knowing its > address. >
What I think is missing is the full details of the cache behavior, because I saw some (ad hoc) proposals that the situation may be very, very bad indeed. I'll see if I can find the explanation involving only usermode code. The original recommendation from CERT was to fully replace all hardware: https://webcache.googleusercontent.com/search?q=cache:rzc6iQmgrIcJ:https://www.kb.cert.org/vuls/id/584653+&cd=4&hl=en&ct=clnk&gl=us >> On Thu, Jan 4, 2018 at 9:44 AM, R0b0t1 <[email protected]> wrote: >>> But, if they do, >> >> then AMD processors are susceptible in the same way, and the issue can >> not be fixed. There are some news pieces and commenters claiming that >> AMD processors suffer similar issues. > > AMD published this: > https://www.amd.com/en/corporate/speculative-execution > > This tends to go along with Google's statement that AMD is vulnerable > to variant 1, but not 2 or 3. > > There is plenty of speculation going on with the hazy info that was > provided, but none of the original sources suggest that AMD is > vulnerable to variant 3. For variants 1/2 Google says that AMD is > susceptible to only 1, and the white paper says that they're > vulnerable to either 1/2 but they don't say which specifically. > > In any case, short of somebody publishing actual exploit code so that > people can run their own tests, I'm going to go with AMD. Nobody > reputable is outright contradicting their statements. For variant 1 > the only known vulnerability is BPF which probably next to nobody > uses, and for variant 2 there really aren't any alternatives available > right now anyway. > I think referring to BPF is a red herring, because it is really the processor that is at fault. Not BPF. And yes, I'm aware of what AMD claims. Cheers, R0b0t1
