Gentoo Archives: gentoo-user

From: "Taiidan@×××.com" <Taiidan@×××.com>
To: gentoo-user@l.g.o, Nikos Chantziaras <realnc@×××××.com>
Subject: Re: [gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed
Date: Wed, 31 Jan 2018 09:49:03
Message-Id: beffe1fb-40c7-ded5-5c23-591c8201d46d@gmx.com
In Reply to: [gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed by Nikos Chantziaras
1 On 01/31/2018 04:16 AM, Nikos Chantziaras wrote:
2
3 > On 30/01/18 23:43, Rich Freeman wrote:
4 >> If you had some program that listened on a socket and accepted a
5 >> length and a string and then did a bounds check using the length, it
6 >> might be exploitable if a local process could feed it data. Even if
7 >> the process only listened for outside connections it might be
8 >> vulnerable if a local process colluded with a remote host to make that
9 >> connection.
10 >
11 > Well, if you're running a local process that is trying to attack you,
12 > you've been compromised already, imo.
13 >
14 > Local processes are always trusted. If Spectre is a vulnerability that
15 > can be exploited by trusted code, it's not really a vulnerability.
16 > Trusted code is called "trusted" for a reason.
17 I wouldn't classify for instance running a multiplayer game in a VM as
18 "trusted" code, the whole point of hardware virtualization is that you
19 don't have to trust what is being executed there.
20
21 Not to mention the issue with most websites requiring javascript for no
22 reason to function properly.

Replies

Subject Author
[gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed Nikos Chantziaras <realnc@×××××.com>