Tavis Ormandi, a security researcher from Google, has revealed a vulnerability in AMD processors based on Zen2 microarchitecture that allows for the tracking of content in other processes within the same CPU core. This vulnerability, named zenbleed, can be exploited by virtual machines and isolated environments. Ormandi has created a prototype exploit to demonstrate this vulnerability.
The exploit allows unauthorized users to determine the data being processed in AES-Ni or Rep-MOVS instructions, which are commonly used in functions like Memcpy. This information can then be used to reconstruct encryption keys, user passwords, and other privileged processes. The affected processors include AMD Ryzen 3000, Ryzen Pro 3000, Ryzen Threadripper 3000, Ryzen 4000, Ryzen Pro 4000, Ryzen 5000, Ryzen 7020, and Epyc 7002. The vulnerability can be fixed through microcode updates.
A patch has been prepared for the Linux kernel to download the corrected microcode. If updating the microcode is not possible, there is a bypass to mitigate the vulnerability at the cost of decreased performance. This involves setting the control bit De_cfg [9] to the CPU using the command “WRMSR -A 0xc0011029 $ (($ -cr -c 0xc0011029) | (1 -when of its essence.”
The vulnerability resembles the classic use-after-free exploit caused by accessing memory after it has been released. In these processors, the content of registers is stored in a register file (RF) shared within the same CPU core. The register allocation table (RAT) is used to assign specific named registers from the register file. Rather than storing an empty value in the register itself, a Z-bit flag is used in the RAT to signify a zero value in the register.
For more information, please refer to the Wikipedia page about Tavis Ormandy and the Zenbleed vulnerability.