Video should be available soon.
Does anybody know why they used "lfence;jmp" or "pause;jmp" instead of "ud2" alone? The ud2 instruction has previously been recommended to stop speculative execution. Other good choices would be int3 (0xCC) and int1 (0xF1).
Here is somebody quoting from Intel's manual:
To me, it looks like you could save several bytes.
It gets used for multi-threaded self-modifying code. Simply modifying the code can cause a crash due to an intermediate state. There are caches and there is an instruction prefetcher. To deal with this, first write out an int3 on the first byte of the instruction you wish to replace. The CPU is careful not to screw up in this case because int3 has to work for debugging. Next, update the rest of the instruction as desired, and then write the first byte over the int3. If the int3 happens to get hit by the other thread, just have the debug exception do nothing.
The carefulness around int3 will stop speculation. That is what is needed for a retpoline.
People have also used int3 for things related to copy protection. You could be silly and write an OS that used int3 to do system calls.
Doesn't that potentially crash the other thread because the rest of the instruction is still there?
There is a discussion about it on the linux-kernel mailing list. Maybe you can find it.
Or you sort-of-know-but-have-half-forgotten most of it and this is a nice refresher with a few interesting new bits thrown in?