“okay i actually fucking LOVE this bug so much omg. this is even better than i thought it was. sorry, i apologize, i'm gonna fangirl a little bit here sorry https://t.co/ALA0h69qeE”
if i understand right: the simplest variant works like this.
basically all modern CPUs speculate loads far beyond the point where they know it's safe. this is necessary for even half-decent performance in a big pipeline.
so if you do this: a = x[4]; b = y[a]; c = z[b]; it may load "c" long before it even knows the load of "a" was safe!
this is fine as long as it can roll things back in the case the first load failed. completely normal
the catch here is: doing the load puts that data in the cache.
so... imagine you're not supposed to be able to know "b" because it's in kernel memory. it'll load b, and then load z[b] to get c. then at some point it will fail and roll back.
but this will have a side effect: the chunk of memory containing "c" will end up getting loaded into cache.
the rollback *isn't total*.
it's like the CPU went ahead to the next page of an assignment before it was supposed to, but didn't completely hide that fact.
and given the right circumstances, you can use this to recover "b", one bit at a time.
you can now recover arbitrary data from any memory in the system. you win.
HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA
I’m DDDYYYYIIIIIIINNNNNNGGGGG