On 01/23/2018 03:13 AM, Liran Alon wrote: > Therefore, breaking KASLR. In order to handle this, every exit from > kernel-mode to user-mode should stuff RSB. In addition, this stuffing > of RSB may need to be done from a fixed address to avoid leaking the > address of the RSB stuffing itself. With PTI alone in place, I don't see how userspace could do anything with this information. Even if userspace started to speculate to a kernel address, there is nothing at the kernel address to execute: no TLB entry, no PTE to load, nothing. You probably have a valid point about host->guest, though.
