SoylentNews is people
SoylentNews
from the starting-off-the-new-year-right dept.
Spotted over on HN:
The mysterious case of the Linux Page Table Isolation patches (archive)
tl;dr: there is presently an embargoed security bug impacting apparently all contemporary CPU architectures that implement virtual memory, requiring hardware changes to fully resolve. Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November. In the worst case the software fix causes huge slowdowns in typical workloads. There are hints the attack impacts common virtualization environments including Amazon EC2 and Google Compute Engine, and additional hints the exact attack may involve a new variant of Rowhammer.
Turns out 2018 might be more interesting than first thought. So grab some popcorn and keep those systems patched!
(Score: 1, Interesting) by Anonymous Coward on Tuesday January 02 2018, @03:41AM
You only have to guess 9 bits of the address space at a time if you can go level by level.
You could guess kernel addresses if faulting on a unmapped kernel address takes a different amount of time than faulting on a mapped kernel address. An address in a big unmapped area might fault when relatively significant bits are checked, while an address that is valid might not fault until permission bits are checked.
Stuff related to performance monitoring and user-chosen LDT entries changed quite a bit. One or both of these may have been used to reveal addresses. Performance monitoring hardware has the ability to have the CPU write a log into a buffer; this could be mapped for the user. There is a way to map the LDT and/or a Linux-specific variation for the user as well.