|
|
Subscribe / Log in / New account

Meltdown strikes back: the L1 terminal fault vulnerability

Meltdown strikes back: the L1 terminal fault vulnerability

Posted Aug 15, 2018 2:03 UTC (Wed) by corbet (editor, #1)
In reply to: Meltdown strikes back: the L1 terminal fault vulnerability by ncm
Parent article: Meltdown strikes back: the L1 terminal fault vulnerability

PTEs are not zeroed out, they are bitwise inverted, so the information is still there. Sorry if that wasn't clear.

to post comments

Meltdown strikes back: the L1 terminal fault vulnerability

Posted Aug 15, 2018 7:09 UTC (Wed) by HIGHGuY (subscriber, #62277) [Link] (4 responses)

One thing that I haven't come across anywhere is: how can we be sure that the inverted pte never points into something valid? Doesn't this just shift the problem around?

(I'm sure this was thought through, I just couldn't find why this is ok to do)

Meltdown strikes back: the L1 terminal fault vulnerability

Posted Aug 15, 2018 7:23 UTC (Wed) by pbonzini (subscriber, #60935) [Link] (1 responses)

It would require several terabytes of swap.

Meltdown strikes back: the L1 terminal fault vulnerability

Posted Aug 15, 2018 7:55 UTC (Wed) by vbabka (subscriber, #91706) [Link]

The swap size is in fact limited on vulnerable CPU's so that it's not possible to exceed it.

Meltdown strikes back: the L1 terminal fault vulnerability

Posted Aug 15, 2018 18:36 UTC (Wed) by jcm (subscriber, #18262) [Link]

There is a limit depending upon configured MAXPHYADDR and the number of bits/translation levels supported. Effectively, even with things like Superdome, there are no boxes shipping today where it's a problem. In theory, it /could/ become a problem prior to future platforms with 5-level paging (extra PA bits) but I raised this very corner case a few months ago to keep an eye on it. Now this is public, I'll ping the vendors I can think of who might be impacted and ask them to further consider for future platforms.

Meltdown strikes back: the L1 terminal fault vulnerability

Posted Aug 17, 2018 21:47 UTC (Fri) by willy (subscriber, #9762) [Link]

One of the bits that is inverted is the "Uncached" bit. The CPU will not attempt to speculatively bring a cache line in from an uncached page.

Meltdown strikes back: the L1 terminal fault vulnerability

Posted Aug 15, 2018 7:41 UTC (Wed) by marcH (subscriber, #57642) [Link]

> PTEs are not zeroed out, they are bitwise inverted, so the information is still there.

So for decades hardware has tried really hard to hide from software crazy optimizations like instruction-level parallelism, out of order and of course speculative execution.

Now software is more and more hiding data from hardware to indirectly block some of that.

I just can't stop admiring the irony.

> Sorry if that wasn't clear.

It was all there, just not super mega obvious why.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds