對應 Google Project Zero
Reading privileged memory with a side-channel
Variant 1: bounds check bypass (CVE-2017-5753)
Variant 2: branch target injection (CVE-2017-5715)
Variant 3: rogue data cache load (CVE-2017-5754)
Variant 1: bounds check bypass
1. This PoC only tests for the ability to read data inside mis-speculated execution within the same process, without crossing any privilege boundaries.
[PoC 僅測試在錯誤推測執行下的讀取的能力, 並不會超出權限範圍]
2. A PoC for variant 1 that, when running with normal user privileges under a modern Linux kernel with a distro-standard config, can perform arbitrary reads in a 4GiB range [3] in kernel virtual memory on the Intel Haswell Xeon CPU.
If the kernel's BPF JIT is enabled (non-default configuration), it also works on the AMD PRO CPU.
On the Intel Haswell Xeon CPU, kernel virtual memory can be read at a rate of around 2000 bytes per second after around 4 seconds of startup time. [4]
[Intel Haswell Xeon CPU 在一般使用者權限下就能讀取到 CPU內核心虛擬記憶體4GiB範圍]
[AMD PRO CPU 則需在強制開啟 "kernel's BPF JIT" 才能用一般使用者權限讀取到資料]
Tested Processors
Intel(R) Xeon(R) CPU E5-1650 v3 @ 3.50GHz (called "Intel Haswell Xeon CPU" in the rest of this document)
AMD FX(tm)-8320 Eight-Core Processor (called "AMD FX CPU" in the rest of this document)
AMD PRO A8-9600 R7, 10 COMPUTE CORES 4C+6G (called "AMD PRO CPU" in the rest of this document)
An ARM Cortex A57 core of a Google Nexus 5x phone (called "ARM Cortex A57" in the rest of this document)
AMD 是承認要 "強制開啟 kernel's BPF JIT" (系統預設是關閉)下才能讀取 這個部分。
Variant 1: bounds check bypass
AMD Ans.
Resolved by software / OS updates to be made available by system vendors and manufacturers.
Negligible performance impact expected.
[可透過軟體或作業系統更新來解決, 且更新後不會對效能造成衝擊]
AMD Ans. 我們的 CPU 架構跟 Intel, ARM 有差異 or 不同, 所以沒有這問題...
Variant 2 ->
架構不同風險近乎 0, 且目前沒發現有漏洞。
Variant 3 ->
架構不同, 因此0風險。
Intel CPU嚴重漏洞,修復後會降低約30%性能 - No.78