On Fri, Jan 5, 2018 at 11:11 AM, Cy Schubert <Cy.Schubert at cschubert.com> wrote:> According to a Red Hat announcement, Power and Series z are also > vulnerable. > ? >?There's a lot of confusion in the media, press releases, and announcements due to conflating Spectre and Meltdown. Meltdown (aka CVE-2017-5754) is the issue that affects virtually all Intel CPUs and specific ARM Cortex-A CPUs. This allows read-access to kernel memory from unprivileged processes (ring 3 apps get read access to ring 0 memory).? IBM POWER, Oracle Sparc, and AMD Zen are not affected by this issue as they provide proper separation between kernel memory maps and userland memory maps; or they aren't OoO architectures that use speculative execution in this manner. Spectre (aka CVE-2017-5715 and CVE-2017-5753) is the issue that affects all CPUs (Intel, AMD, ARM, IBM, Oracle, etc) and allows userland processes to read memory assigned to other userland processes (but does NOT give access to kernel memory). ?IOW, POWER and Sparc are vulnerable to Spectre, but not vulnerable to Meltdown. -- Freddie Cash fjwcash at gmail.com
Thank you! The news indeed does not properly understand the difference, nor which problem affects which hardware/CPU and in many ways acts like it is "the end of the world". On 01/05/2018 14:53, Freddie Cash wrote:> On Fri, Jan 5, 2018 at 11:11 AM, Cy Schubert <Cy.Schubert at cschubert.com> > wrote: > >> According to a Red Hat announcement, Power and Series z are also >> vulnerable. >> ? >> > ?There's a lot of confusion in the media, press releases, and announcements > due to conflating Spectre and Meltdown. > > Meltdown (aka CVE-2017-5754) is the issue that affects virtually all Intel > CPUs and specific ARM Cortex-A CPUs. This allows read-access to kernel > memory from unprivileged processes (ring 3 apps get read access to ring 0 > memory).? IBM POWER, Oracle Sparc, and AMD Zen are not affected by this > issue as they provide proper separation between kernel memory maps and > userland memory maps; or they aren't OoO architectures that use speculative > execution in this manner. > > Spectre (aka CVE-2017-5715 and CVE-2017-5753) is the issue that affects all > CPUs (Intel, AMD, ARM, IBM, Oracle, etc) and allows userland processes to > read memory assigned to other userland processes (but does NOT give access > to kernel memory). > > ?IOW, POWER and Sparc are vulnerable to Spectre, but not vulnerable to > Meltdown. >
Freddie Cash wrote this message on Fri, Jan 05, 2018 at 11:53 -0800:> Spectre (aka CVE-2017-5715 and CVE-2017-5753) is the issue that affects all > CPUs (Intel, AMD, ARM, IBM, Oracle, etc) and allows userland processes to > read memory assigned to other userland processes (but does NOT give access > to kernel memory).No, Spectre does not allow one userland process to read another userland process's memory.. It allows an attacker to read any memory within the same process.. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."