Skip to content

Commit 4baad8d

Browse files
sirdarckcatsirdarckcat
authoredJan 6, 2024
Update README.md
1 parent 590c5ca commit 4baad8d

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed
 

‎pocs/cpus/reptar/minimized/README.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -59,7 +59,8 @@ The vulnerability exhibits two behaviors:
5959
### Experiment for Fetching + BadDSBIP
6060
* **Theory**: The DSB fetches uOPs from a bad IP. When L1I ends up evicting these instructions for new bytecode, the DSB should evict them too, but the DSB doesn't evict them, causing the MCE when the CPU fetches instructions from the evicted address (if they didn't get evicted then we would just continue executing them).
6161
* **Privesc**: TODO
62-
* **Experiment**: TODO
62+
* **Experiment**: hyperfork
63+
* Fork to a sibling HyperThread and wait until the bug triggers. In the parent, modify the code being executed (eg, by changing `rex.r/0x44` to `rex/0x40`), then wait to see if it affects the code being ran by the child (since it is not decoded, it shouldn't be in the DSB yet). In the parent, execute the modified code speculatively (but not architecturally), then see if it affects the code ran by the child (speculatively executing the code should put it in the DSB).
6364

6465
## Exploitation (Q3)
6566

0 commit comments

Comments
 (0)