> As I understand it, on intel cpus and possibly more, we'll need to > unmap the kernel on userret, or else userland can read arbitrary > kernel memory.
"Possibly more"? Anything that does speculative execution needs a good hard look, and that's damn near everything these days. > Also, I understand that to exploit this, one has to attempt to access > kernel memory a lot, and SEGV at least once per bit. I don't think so. Traps that would be taken during normal execution are not taken during speculative execution. The problem is, to quote one writeup I found, "Intel CPUs are allowed to access kernel memory when performing speculative execution, even when the application in question is running in user memory space. The CPU does check to see if an invalid memory access occurs, but it performs the check after speculative execution, not before.". This means that things like cache line loads can occur based on values the currently executing process should not be able to access; timing access to data that cache-collides with the cache lines of interest reveals the leaked bit(s). Nowhere in there is a SEGV generated. That's the meltdown stuff. Spectre targets other things (I've seen branch prediction mentioned) to leak information around protection barriers. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML mo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B