Solar wrote:
mallard wrote:
One thing you can do is always terminate a program if it causes a protection voilation page fault.
Meltdown relies on the OS giving applications a way to handle/ignore such faults...
That is not correct.
Meltdown works because of the CPU speculatively pre-fetches memory contents to cache. That fetch may be based on information that
should trigger a page fault
if that execution branch were actually executed.
The following is a visualization of the process, not a showcasing how it's actually done:
Code:
unsigned kindex = 0xff80000; // kernel memory address
char * dummy = 0;
if ( /* some false condition */ )
{
int v1 = dummy[ kindex ]; // WOULD trigger page fault
unsigned uindex = ( v1 & 1 ) * 0x100; // 0x0 or 0x100
int v2 = array[ uindex ]; // some array we have
}
// check whether array[ 0 ] or array[ 0x100 ] is in cache
The "if" part is
never actually executed, so no page fault is ever triggered -- but we just determined the lowermost bit of 0xff80000.
Thanks, that's a good example of why just improving handling of priviledge violation page faults is not enough. I though there'd have to be more to it when that approach seems to be not mentioned anywhere. Researching concrete information about this (and Spectre, which is
much harder to mitigate) is difficult when 99.99% of articles are horribly dumbed-down summaries for the masses.
Also, by "never actually executed", I think you mean "never logically executed". The whole issue is that code that's not logically executed is
actually executed thanks to speculative execution.
Still, implementing KPTI via hardware task switching is (as far as I can tell) still a valid mitigation for 32-bit systems where that's still possible (now if it emerges that AMD were aware of the issue back when they were designing x86_64, we'd have a nice little conspiracy theory there).
Solar wrote:
This is a CPU bug, not something an OS "allows" for.
No need to get patronising...
Solar wrote:
The solution is to not have any critical memory mapped in ring 3 page tables (as davidv1992 described)
Yes, KPTI...