On 2023-07-25 Alberto Abrao wrote:

Here we go again...

https://lock.cmpxchg8b.com/zenbleed.html

And there was much rejoicing at Intel (until they find a similar flaw in theirs). (Paging Troy.)

Ok, trying to follow the explanation. I don't see how the example with strlen can leak actual data. Maybe it could leak length data, but not the data itself, because the actual secretpassword is never put in ymm, just a sort of mask.

But I can vaguely see how this would work with strcmp, assuming it actually puts the secretpassword itself into ymm, which seems a good guess. Might need to sleep on it to fully grok.

As with spectre et al it requires the ability to run arbitrary tainted code on a box. So shared/cloud would be vulnerable (what else is new), but not your average home Joe (unless they are program-careless). In addition, I doubt you could make easier-to-inject js or BPF code do the required tricks, unlike some of the earlier bugs (IIRC).

Ok: wrmsr -a 0xc0011029 $(($(rdmsr -c 0xc0011029) | (1<<9)))

That is just messed up, like I'm back in 1986 doing poke() on the Atari ST to make some magic happen. Crazy: I didn't even know this was still a thing.

My gut feeling is this problem will be easier for CPU peepz and OS peepz to mitigate without killing another 5% performance. But I could be wrong! Fingers crossed...

It is continuing to appear that speculative execution as a model is irretrievably broken. Maybe a new model is required. Or maybe NUMA was the correct solution, not SMP.