On 06/01/2018 07:03 AM, speck for Peter Zijlstra wrote:
> On Thu, May 31, 2018 at 03:36:18PM -0500, speck for Josh Poimboeuf wrote:
>> My (probably wrong) understanding is that the pattern is something like
>> this:
>>
>> if (user_index < array_len) {
>> 	bar[user_index] = blah;
>> 	...
>> 	foo = bar[user_index];
>> }
>>
>> Do you have a different understanding?
> 
> I've been thinking about this -- how to use an unbounded store, and the
> best I came up with is using it for a (speculative) stack smashing
> attack. Basically have it over-write the return address and thereby
> redirect the speculative execution to something more 'useful'.
> 
> So it doesn't immediately lead to leaks, but is a tool in setting up a
> leak. Basically spectre-ROP :-)

FYI I've had some security researchers ping me about something in this
area. I'll be pinging a few folks to get some dots connected later.

Jon.

-- 
Computer Architect | Sent from my Fedora powered laptop