> Spectre is unrelated and does not depend on a mistake of this kind, > since there you're dealing with speculative loads that ARE permitted > as far as access control goes; they just aren't wanted because they > are preceded by range checks or the like.
Yes. I'm of two minds whether it's even fair to call spectre variants like that a vulnerability. (Spectre variants that exfiltrate values from other processes, or from the kernel, are quite another story.) On the one hand, of course, it is, in that it can be used to do things like read outside sandboxes. But, on the other hand, I can easily imagine a CPU designer looking at it and saying "What's the big deal if this code can read that location? It can get it anytime it wants with a simple load instruction anyway.", something I have trouble disagreeing with. So, I'm not sure whether I consider those spectre variants a CPU bug or just a misfeature that makes sandboxing more difficult (in that it provides unobvious ways to read memory). /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML mo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
