Zenbleed: an AMD Zen 2 speculative vulnerability

Tavis Ormandy reports on a vulnerability that he has found in "all Zen 2 class processors"from AMD. (Wayback Machine link as the original site is overloaded.) It canallow local attackers to recover data used in string operations; "If you remove the first word from the string 'hello world',what should the result be? This is the story of how we discovered that theanswer could be your root password!" The report has lots of details,including an exploit; AMD has released a microcodeupdate to address the problem.

We now know that basic operations like strlen, memcpy and strcmp will usethe vector registers - so we can effectively spy on those operationshappening anywhere on the system! It doesn't matter if they're happening inother virtual machines, sandboxes, containers, processes, whatever!

This works because the register file is shared by everything on the samephysical core. In fact, two hyperthreads even share the same physicalregister file.