oss-sec mailing list archives

Re: Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH

From: Jacob Bachmeyer <jcb62281 () gmail com>
Date: Wed, 24 Sep 2025 22:51:56 -0500

On 9/24/25 06:45, Peter Gutmann wrote:

Jacob Bachmeyer <jcb62281 () gmail com> writes:

The critical issue for exploiting Rowhammer to corrupt spilled register
values seems to be how long those spilled values remain live in DRAM before
they are reloaded into the register file and ultimately used.

It also depends on whether they're ever actually read back from RAM or just
end up sitting in cache for a microsecond or two before they're re-fetched
from there.  There are some attacks that exploit the difference between
(glitched) data in RAM and data in cache, but in this case it'd mitigate
Rowhammer by having the corrupted data in RAM ignored if it's still in cache.

Indeed, if the spilled value is never evicted from cache, then it isnever live in DRAM and Rowhammer cannot be used to corrupt it. However,if I understand correctly, modern systems aggressively flush caches onprocess context switches in order to close cache-related side channels.

This seems to suggest that the solution to "Rowhammer Mayhem" may lie inimprovements to kernel scheduler and VM management subsystems.

Perhaps a yield primitive that yields the rest of the current timeslicebut guarantees a full unpreemptable timeslice upon resume? That wouldallow a brief sensitive computation to be effectively madeuninterruptible but would not permit monopolization of the processor.

Perhaps more randomization in assigning physical page frames to preventthe kernel from reliably using "bait" pages? The attack in the paperseems to depend on predictable page frame allocation.

The latter could also be implemented in user processes: allocate arandomly-sized pad on the stack to shift "inner" stack variables awayfrom their predictable locations. Making the pad multiple pages plus afraction of a page could also counter predictable kernel page frameallocations by shifting the sequence of pages allocated.



-- Jacob

Current thread:

CVE-2023-51767: a bogus CVE in OpenSSH Damien Miller (Sep 22)
- Re: CVE-2023-51767: a bogus CVE in OpenSSH Stuart D Gathman (Sep 22)
  - Re: CVE-2023-51767: a bogus CVE in OpenSSH Pedro Sampaio (Sep 22)
- Re: CVE-2023-51767: a bogus CVE in OpenSSH Solar Designer (Sep 22)
  - Re: process exit statuses (was: CVE-2023-51767) Simon McVittie (Sep 23)
  - Re: CVE-2023-51767: a bogus CVE in OpenSSH Peter Gutmann (Sep 23)
  - Re: CVE-2023-51767: a bogus CVE in OpenSSH Todd C. Miller (Sep 23)
  - Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH Adiletta, Andrew (Sep 23)
    - Re: Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH Jacob Bachmeyer (Sep 23)
    - Re: Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH Peter Gutmann (Sep 24)
    - Re: Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH Jacob Bachmeyer (Sep 24)
    - Re: Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH Demi Marie Obenour (Sep 25)
    - Re: Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH Jacob Bachmeyer (Sep 25)
    - Re: Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH Demi Marie Obenour (Sep 26)
    - Re: Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH Jacob Bachmeyer (Sep 27)
    - Re: Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH Demi Marie Obenour (Sep 27)
    - Re: Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH Jacob Bachmeyer (Sep 27)
    - Re: Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH Peter Gutmann (Sep 27)
    - Re: Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH Demi Marie Obenour (Sep 27)
    - Re: Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH Peter Gutmann (Sep 27)
    - Re: Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH Demi Marie Obenour (Sep 27)

(Thread continues...)