AMD Zen

2023: Identify a vulnerability to identify the contents of registers in other processes

Tavis Ormandy, a security researcher at the company, Google has identified (vulnerability CVE-2023-20593) a processors AMD microarchitecture-based Zen2 that can be used to track register content while other processes are running on the same CPU core. Among other things attack , it can be carried out from virtual machines isolated environments. This became known on July 25, 2023.

To demonstrate the vulnerability, which is codenamed Zenbleed, a prototype exploit has been prepared that allows an unprivileged user to determine the data processed in AES-NI or REP-MOVES instructions (usually used in the memcpy function), which can be used to reconstruct encryption keys and passwords of users processed in other processes, including privileged ones. The performance of data leakage during the operation of the exploit is approximately 30KB per second.

The vulnerability has been fixed at the microcode update level. A patch has been prepared for Linux to download the fixed microcode. If it is impossible to update the microcode, there is a workaround way to block the vulnerability, leading to a decrease in performance - you need to set the control bit in the CPU DE_CFG[9] using the command "wrmsr -a 0xc0011029 $ (($ (rdmsr -c 0xc0011029)|<<9)))". Отключение режима SMT не блокирует уязвимость.(1

A workaround to block the vulnerability is included in kernel updates 6.4.6, 6.1.41, 5.15.122, 5.10.187, 5.4.250 and 4.19.289. You can track the appearance of vulnerability protection in distributions on the following pages:, Debian,, Ubuntu,, Gentoo, RHEL SUSE Arch Fedora,,, OpenBSD NetBSD FreeBSD. The problem manifests itself in the series of processors 3000, AMD Ryzen Ryzen PRO 3000, Ryzen Threadripper 3000, Ryzen 4000 with graphics, Ryzen Radeon PRO 4000, Ryzen 5000 with Radeon graphics, Ryzen 7020 with Radeon graphics and EPYC 7002.

At its core, the problem resembles the classic use-after-free vulnerabilities caused by accessing memory after its release. In processors, a register file (RF, Register File) is used to store the contents of registers, which is an array that is shared in all tasks on the same CPU core. The Register Allocation Table (RAT) is responsible for attaching specific named registers to resources from a register file. In this case, the zero value is stored in the register not through saving an empty value in the register file, but through setting the z-bit flag in the RAT table.

The vulnerability is caused by the fact that if z-bit is set during speculative execution of instructions, it is not enough to simply reset it in case of incorrect branch prediction, since the space in the register file can be redistributed from the moment of speculative execution. The detected effect occurs by simultaneously renaming the register, using the instruction for which the merge optimization is applied, and speculative execution of the VZEROUPPER vector instruction, which sets the z-bit and frees resources from the register file. If the branch prediction is not justified and the speculative operation VZEROUPPER is rolled back to the original state, damage to the contents of the vector registers may occur, since the z-bit is rolled back, but the freed resource remains not discarded.

By manipulating the VZEROUPPER statement, you can achieve a controlled leakage of data processed in YMM vector registers used in AVX (Advanced Vector Extensions) and SSE (Streaming SIMD Extensions) modes. These registers are actively used in memory copy and string processing functions, for example, in the Glibc library they are involved in memcpy, strcmp and strlen functions^[1].

2020: AMD unveils first computer processor on new Zen 3 architecture

On October 8, 2020, Advanced Micro Devices introduced the next generation of processors that are based on the Zen 3 - Ryzen 5000 series. New items are distinguished by significant performance improvements and a new architecture. Read more here.

2018: Zen 2 announcement

In November 2018, AMD introduced its new Zen 2 processor architecture, which will form the basis of solutions for both personal computers and servers. The company promises a significant increase in performance compared to the first version of Zen.

Zen 2 brings dramatic changes to AMD's processor architecture for multi-core chips. Thus, the northbridge of the processor will be separated into several blocks to make the I/O subsystem more flexible and better adapted to work with a large number of cores.

AMD unveils Zen 2 processor architecture

AMD server chips with Zen 2 architecture are codenamed Rome. Their distinctive feature is the modular design, while the predecessors consisted of four identical crystals containing eight x86-compatible Zen cores each.

Eight 7nm modules were placed on one textolite, each containing eight Zen 2 cores. In the center is a 14-nanometer I/O crystal, communicating with models through the Infinity Fabric bus. It includes an 8-channel DDR4 memory controller, a 128-line PCI Express 4.0 interface controller, as well as other peripherals and a small cache.

AMD notes that Zen 2 managed to achieve a 29 percent superiority in the number of executed instructions per cycle (IPC) compared to the microarchitecture of the previous generation. It is also claimed that the total performance of servers per slot will be doubled, and the performance in floating point tasks will increase fourfold.

In November 2018, AMD began shipping trial versions of Zen 2 processors, and serial production is scheduled for 2019. Full compatibility with previous Epyc Naples solutions and future AMD Milan processors with Zen 3 architecture is announced.^[2]

Notes