Re: How does knowing where imply knowing what?
Meltdown works like this:
Instruction 1 accesses a byte on a protected page and attempts to load it into a register.
Instruction 2 uses the value loaded into the register to access some memory on one out of 256 pages (depending on the value of the register filled by instruction 1).
Now, instruction 1 does an illegal access, so it causes a segfault. However, by that time instruction 2 has already been speculatively executed. Now, all the "normal" processor state (register values, etc.) are rolled back to before instruction 2, but, crucially, on Intel CPUs, NOT the fact that a particular one of these 256 pages was brought into cache.
The attacker can now determine which of these pages was brought into cache by carefully timing how long it takes to access each of them. The fast one is the one brought into cache. Presto, one byte read from kernel space.
Note that the 256 pages are NOT in kernel memory, they are just plain accessible memory in the attacker's process.