> In general, if the cores are SMT (Symmetric Multithreading) siblings, then you may observe random branches, and, if they're SMP (Symmetric Multiprocessing) siblings from the same package, then you may observe machine checks.
[...]
> However, we simply don't know if we can control the corruption precisely enough to achieve privilege escalation. I suspect that it is possible, but we don't have any way to debug μop execution!
The exploit they published crashes the machine, but it may be possible to write one that does other things, they just don't know how.
> In general, if the cores are SMT (Symmetric Multithreading) siblings, then you may observe random branches, and, if they're SMP (Symmetric Multiprocessing) siblings from the same package, then you may observe machine checks.
[...]
> However, we simply don't know if we can control the corruption precisely enough to achieve privilege escalation. I suspect that it is possible, but we don't have any way to debug μop execution!
The exploit they published crashes the machine, but it may be possible to write one that does other things, they just don't know how.
Actually useful blog post: https://bughunters.google.com/blog/5997221712101376/the-rept...