Up first is Zenbleed, a particularly worrying speculative execution bug, that unfortunately happens to be really simple to exploit. It leaks data from function like strlen, memcpy, and strcmp. It’s vulnerable from within virtual machines, and potentially from within the browser. The scope is fairly limited, though, as Zenbleed only affects Zen 2 CPUs: that’s the AMD Epyc 7002 series, the Ryzen 3000 series, and some of the Ryzen 4000, 5000, and 7020 series of CPUs, specifically those with the built-in Radeon graphics.
And at the heart of problem is a pointer use-after-free — that happens inside the CPU itself. We normally think of CPU registers as fixed locations on the silicon. But in the case of XMM and YMM registers, there’s actually a shared store of register space, and the individual registers are mapped into that space using a method very reminiscent of pointers.
XMM registers are 128 bits long, and YMM registers are 256 bits long. As a performance optimization, compilers often use the vzeroupper instruction to set the upper half of a YMM register to 0, letting the CPU run the rest of the instructions using 128-bit calculations. The important thing to understand is that the underlying memory isn’t set to zero, but the pseudo-pointer is just flagged as equaling zero.
More Stories
via Hackaday: Why 56k Modems Relied On Digital Phone Lines You Didn’t Know We Had
via Hackaday: Blue Ghost Watches Lunar Eclipse from the Lunar Surface
via Hackaday: Open Source Hardware, How Open Do You Want It To Be?