From WikiChip
Editing cve/cve-2017-5754
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
This page supports semantic in-text annotations (e.g. "[[Is specified as::World Heritage Site]]") to build structured and queryable content provided by Semantic MediaWiki. For a comprehensive description on how to use annotations or the #ask parser function, please have a look at the getting started, in-text annotation, or inline queries help pages.
Latest revision | Your text | ||
Line 12: | Line 12: | ||
</source> | </source> | ||
− | When executed, this line will likely cause a [[segmentation fault]] due an access restriction violation. | + | When executed, this line will likely cause a [[segmentation fault]] due an access restriction violation. Meltdown demonstrated that while the fault is being handled by the operating system (in an elevated supervisor mode), the microprocessor can continue to execute subsequent code [[out-of-order]] under [[speculative execution|the assumption]] that this is the right path. More-so, Meltdown demonstrated that this code can be executed as supervisor, thereby reading potentially memory it should not have access to. A carefully crafted piece of code by an attacker can be used in a way similar to {{cve|cve-2017-5753|Spectre Variant 1}} to leak any kernel space memory. |
== Example == | == Example == | ||
Line 24: | Line 24: | ||
</source> | </source> | ||
− | Consider what happens when operation 2 is executed. The microprocessor | + | Consider what happens when operation 2 is executed. The microprocessor will realize that this is an [[access violation]] and the exception will result in a [[context switch]] to the operating system in order to handle the fault. When this happens, the microprocessor will also [[speculative execution|speculatively]] start to execute operation 3 out of order. Meltdown demonstrated that this code can be executed as supervisor, thereby reading potentially memory it should not have access to. |
− | + | Since <code>probeTable</code> is uncached, the code that executed cause a [[cache miss]], resulting the microprocessor going and grabbing the value from [[main memory]]. Meanwhile, the operating system will likely kill the process the for the invalid memory access. | |
+ | |||
+ | Although the code has been terminated and the architectural state of the machine has been restored, the state of the microarchitecture has changed. If an attacker is running a second process (e.g., a parent process), then <code>probeTable[]</code> can be used in conjunction with a [[side-channel analysis]] timing attack, to determine the value of <code>byte</code> in <code>probeTable[byte]</code>. Since <code>probeTable</code> was initially uncached, the only element in <code>probeTable</code> that is [[cached]] is the secrete byte stored in <code>*(char *)0xAAAAA</code>. | ||
This method can then be used repeatedly to read a larger part of memory. | This method can then be used repeatedly to read a larger part of memory. | ||
== Affected Processors == | == Affected Processors == | ||
− | Below is a list of known affected processors, alphabetized. This is '''NOT''' en exhaustive list but rather the | + | Below is a list of known affected processors, alphabetized. This is '''NOT''' en exhaustive list but rather the once we were able to verify! |
{| class="wikitable" | {| class="wikitable" | ||
Line 51: | Line 53: | ||
| {{apple|Monsoon|l=arch}} ({{apple|A11}}/{{apple|A11X}}) | | {{apple|Monsoon|l=arch}} ({{apple|A11}}/{{apple|A11X}}) | ||
|- | |- | ||
− | | rowspan="4" | [[ARM Holdings|ARM]] || {{armh|Cortex-A15|l=arch}} || rowspan=" | + | | rowspan="4" | [[ARM Holdings|ARM]] || {{armh|Cortex-A15|l=arch}} || rowspan="10" | [https://developer.arm.com/support/security-update Post] |
|- | |- | ||
| {{armh|Cortex-A57|l=arch}} | | {{armh|Cortex-A57|l=arch}} | ||
Line 58: | Line 60: | ||
|- | |- | ||
| {{armh|Cortex-A75|l=arch}} | | {{armh|Cortex-A75|l=arch}} | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
|} | |} | ||
{{expand list}} | {{expand list}} |