ZenBleed: Zen2 Information Leakage

Syonyk · July 24, 2023, 7:49pm

https://lock.cmpxchg8b.com/zenbleed.html

Wheee!

Update 'yer microcodes.

bombcar · July 24, 2023, 11:41pm

another day, another massive security leak due to trying to squeeze performance out of modern CPUs.

Syonyk · July 25, 2023, 5:58pm

Welp. Played around with the proof of concept. The site was… rather overloaded yesterday.

https://lock.cmpxchg8b.com/files/zenbleed-v5.tar.gz

Yup. It leaks!

Fuck me. Seriously. Architecturally visible leakage at a high rate. This is from a BOINC box, so I don’t care, but… ugh.

Thread 14: “name> <m”
Thread 14: “fteam> <gui_url”
Thread 14: “3 --df1dot 1.371”
Thread 14: “00</d_free> "
Thread 14: “nt 5214480 --num”
Thread 14: “und> <rsc_me”
Thread 14: “le_name> me> 8”
Thread 14: “Factor 2 --misma”
Thread 14: “ATeah1090F_1112.”
Thread 14: “31768159 --delta”
Thread 14: “F.dat</open_name”
Thread 14: “493 --skyRadius "
Thread 14: “6 --firstSkyPoin”
Thread 14: “m>108</version_n”
Thread 14: “-debug 0 --debug”
Thread 14: “>https://einstei”
Thread 14: “le_name> "
Thread 14: “LATeah1090”
Thread 14: “.3531768159 --de”
Thread 14: “lls 1 --useWeigh”
Thread 14: “.3531768159 --de”
Thread 14: “5 --freeRadiusFa”
Thread 14: “nux-gnu</platfor”
Thread 14: “ui_url> <gui”
Thread 14: “url> <gui_ur”
Thread 14: " https://ei”
Thread 14: “non_cpu_intensiv”
Thread 14: “/team_display.ph”
Thread 14: “l_credit>2974181”
Thread 14: “frac>0.998549</"
Thread 14: “ip_addr> <ho”
Thread 14: “en_name>JPLEPH.4”
Thread 14: "bound> <rsc”
Thread 14: " 10 --numCells 1”
Thread 14: “ry_bound> <r”
Thread 14: “disk_bound> "
Thread 14: “ui_url> <gui”
Thread 14: “match 0.15 --deb”
Thread 14: “371881534e-15 --”
Thread 14: “80 --f0Band 16 -”
Thread 14: “</rsc_memory_bou”
Thread 14: “num> <rsc_f"
Thread 14: “ersion> <app_ver”
Thread 14: "friendly_name> "
Thread 14: “1690304958.59914”
Thread 14: "svm extapic cr8”
Thread 14: “/team_display.ph”
Thread 14: "x-gnu.zip</file”
Thread 14: “ser_friendly_nam”
Thread 14: “Your accou”
Thread 14: “g_up> <avg_t”
Thread 14: “svm extapic cr8_”
Thread 14: “5 --f0start 1096”
Thread 14: “_disk_bound> 00”
Thread 14: " 00</_mc_mem_bo”
Thread 14: “%%%%%%%%%%%%%%%%”
Thread 14: “_disk_bound> 00”
Thread 14: “%%%%%%%%%%%%%%%%”
Thread 14: " 00</_mc_mem_bo"
Thread 14: “%%%%%%%%%%%%%%%%”
Thread 14: “-alpha 2.3531768”
Thread 14: “%%%%%%%%%%%%%%%%”
Thread 14: “h 4194304.0 --to”
Thread 14: “%%%%%%%%%%%%%%%%”
Thread 14: “e 1 – --0 --e "
Thread 14: “le_name> me> 8”
Thread 14: “0.15 --reftime 5”
Thread 14: “%%%%%%%%%%%%%%%%”
Thread 14: " 00</_mc_d> 00”
Thread 14: “t</file_name> 8”
Thread 14: “app_name>hsgamma”
Thread 14: “5 --S0sPain 070”
Thread 14: “%%%%%%%%%%%%%%%%”
Thread 14: “_1.03_x86_64-pc-”
Thread 14: “%%%%%%%%%%%%%%%%”
Thread 14: “s://einsteinatho”
Thread 14: “f>1.435 <sca”
Thread 14: “0.0000.06/951</r”
Thread 14: "in_rpc_time> "
Thread 14: “x86_64-pc-linux"
Thread 14: “%%%%%%%%%%%%%%%%”
Thread 14: " </gui_url> <gu"
Thread 14: " hrtm://p”
Thread 14: “_c_peeciig>0</cc”
Thread 14: “65500896”
Thread 14: “509.220950</clie”
Thread 14: “>-1.000000</conn”

Syonyk · July 25, 2023, 6:48pm

Interesting. BIOS update on one of my boxes and a microcode update didn’t fix it, but setting the chicken bit did.

wrmsr -a 0xc0011029 $(($(rdmsr -c 0xc0011029) | (1<<9)))

Syonyk · July 25, 2023, 7:20pm

Oh man. Spicy kernel devs are always fun!

https://lore.kernel.org/lkml/20230425195024.17808-1-bp@alien8.de/T/#u