[RndTbl] Zenbleed

Trevor Cordes trevor at tecnopolis.ca
Wed Jul 26 01:22:50 CDT 2023

On 2023-07-25 Alberto Abrao wrote:
> Here we go again...
> https://lock.cmpxchg8b.com/zenbleed.html

And there was much rejoicing at Intel (until they find a similar flaw
in theirs).  (Paging Troy.)

Ok, trying to follow the explanation.  I don't see how the example with
strlen can leak actual data.  Maybe it could leak length data, but not
the data itself, because the actual secretpassword is never put in ymm,
just a sort of mask.

But I can vaguely see how this would work with strcmp, assuming it
actually puts the secretpassword itself into ymm, which seems a good
guess.  Might need to sleep on it to fully grok.

As with spectre et al it requires the ability to run arbitrary tainted
code on a box.  So shared/cloud would be vulnerable (what else is new),
but not your average home Joe (unless they are program-careless).  In
addition, I doubt you could make easier-to-inject js or BPF code do the
required tricks, unlike some of the earlier bugs (IIRC).

wrmsr -a 0xc0011029 $(($(rdmsr -c 0xc0011029) | (1<<9)))

That is just messed up, like I'm back in 1986 doing poke() on the Atari
ST to make some magic happen.  Crazy: I didn't even know this was still
a thing.

My gut feeling is this problem will be easier for CPU peepz and OS
peepz to mitigate without killing another 5% performance.  But I could
be wrong!  Fingers crossed...

It is continuing to appear that speculative execution as a model is
irretrievably broken.  Maybe a new model is required.  Or maybe NUMA
was the correct solution, not SMP.

More information about the Roundtable mailing list