> Is there any risk of privilege escalation?<p>> Meltdown and Spectre are, by themselves, only information leaks. There is no suggestion that speculative execution can be used to modify memory or cause a system to do anything it might not have done already.<p>Aren't they a bit too casual here? The answer is not wrong in the sense that Meltdown and Spectre themselves can't directly be used for privilege escalation.<p>On the other hand the question they posed was: "Is there any risk of privilege escalation?" and I wouldn't be so quick about that. If I can read arbitrary kernel memory isn't there a chance (at least under some circumstances) that I can find something (clear text or hashed root password maybe) that enables trivial privilege escalation?
>There are two angles to consider for this question:<p>>Can an untrusted guest attack the hypervisor using Meltdown or Spectre?<p>>Can a guest user-space program attack a guest kernel using Meltdown or Spectre?<p>There are two angles if you maintain Xen yourself. However the vast majority of people aren't Xen customers, they are customers of Amazon or other cloud provider. In which case the main concern is:<p><i>Can a fellow customer guest running on an AWS instance attack my guest account?</i><p>It seems like the answer is "No", but it looks like the answer might be "Only if dom0 is patched", and might even be "Yes". Since it's not in AWS interests to publicize that the answer is Yes, and since AWS is a large user of Xen, I find the it unsettling that this question is unanswered. It makes me thing it is unanswered for a reason. And if the response is "Oh, we didn't think about it from that perspective", then that would be even more disturbing.
The linked advisory 254 claims that SP2 is limited to code after bounds checks and similar when SMEP is used.<p>This is incorrect: the BTB can be poisoned to speculatively jump anywhere in the text segment of the supervisor.
Intel PR monkeys are trying to take AMD down with them, let's make this clear:<p>For the 3 bugs, the biggest one only affect Intel CPUs, for bug 2 and 3:<p>AMD bug only affects THE SAME PROCESS, unlike Intel, which allows exploits to cross processes:<p><a href="https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html" rel="nofollow">https://googleprojectzero.blogspot.com/2018/01/reading-privi...</a><p>"As shown, AMD was only vulnerable to "the ability to read data inside mis-speculated execution within the same process, without crossing any privilege boundaries."