Post Syndicated from original https://lwn.net/Articles/939099/

Tavis Ormandy reports
on a vulnerability that he has found in “all Zen 2 class processors”
from AMD. (Wayback Machine link as the original site is overloaded.) It can
allow local attackers to recover data used in string
operations; “If you remove the first word from the string ‘hello world’,
what should the result be? This is the story of how we discovered that the
answer could be your root password!” The report has lots of details,
including an exploit; AMD has released a microcode
update to address the problem.

We now know that basic operations like strlen, memcpy and strcmp will use
the vector registers – so we can effectively spy on those operations
happening anywhere on the system! It doesn’t matter if they’re happening in
other virtual machines, sandboxes, containers, processes, whatever!

This works because the register file is shared by everything on the same
physical core. In fact, two hyperthreads even share the same physical
register file.