From 4baad8df63b6e70094e191b10b33a981aebd3ef9 Mon Sep 17 00:00:00 2001
From: "Eduardo' Vela\" Nava (sirdarckcat)" <sirdarckcat@gmail.com>
Date: Sat, 6 Jan 2024 16:52:16 +0100
Subject: [PATCH] Update README.md

---
 pocs/cpus/reptar/minimized/README.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pocs/cpus/reptar/minimized/README.md b/pocs/cpus/reptar/minimized/README.md
index 991652b8e..3929be1df 100644
--- a/pocs/cpus/reptar/minimized/README.md
+++ b/pocs/cpus/reptar/minimized/README.md
@@ -59,7 +59,8 @@ The vulnerability exhibits two behaviors:
 ### Experiment for Fetching + BadDSBIP
 * **Theory**: The DSB fetches uOPs from a bad IP. When L1I ends up evicting these instructions for new bytecode, the DSB should evict them too, but the DSB doesn't evict them, causing the MCE when the CPU fetches instructions from the evicted address (if they didn't get evicted then we would just continue executing them).
 * **Privesc**: TODO
-* **Experiment**: TODO
+* **Experiment**: hyperfork
+    * Fork to a sibling HyperThread and wait until the bug triggers. In the parent, modify the code being executed (eg, by changing `rex.r/0x44` to `rex/0x40`), then wait to see if it affects the code being ran by the child (since it is not decoded, it shouldn't be in the DSB yet). In the parent, execute the modified code speculatively (but not architecturally), then see if it affects the code ran by the child (speculatively executing the code should put it in the DSB).
 
 ## Exploitation (Q3)