The short version is that the very large registers on the modern CPUs aren’t fixed things like they used to be, they’re allocated from some register area on the die. When they “zero” the upper portion of one of the large registers it doesn’t really clear it. It just releases the block back to available.
Another thing all CPUs need these days to keep fast is branch prediction. CPUs are only fast if they can keep the pipeline of upcoming commands (opcodes) to process full. So they often run both possible routes for a branch and discard the loser.
In this case they “trick” the CPU by asking it to “clear” a block of one of these large registers (the upper half). But then have the branch go the other way. What sometimes happens is that the register space is “released” but it has to take it back. In some specific circumstances they are able to have the register come back, but not with the original contents but with some random contents of maybe another register that was used by another thread (maybe even running on a different VM guest).
I have a server with a 3000 series CPU. I can confirm this definitely works. You’ll get all kind of random blocks of memory from processes running as all users (and kernel code). For AMD processors running VM servers it is even worse. Because if you have say a VPS running on an AMD Zen2 CPU, you can login as any user run this and get random data from people on other VPS on the same hardware!
There is a linux workaround, and it seems most CPUs will be fixed by December.
Note: If you have access to a VPS that is vulnerable, do note that in most countries it is illegal to even try to exploit this.
ELI5 how this works?
The guys themselves made a pretty good write-up. https://lock.cmpxchg8b.com/zenbleed.html
The short version is that the very large registers on the modern CPUs aren’t fixed things like they used to be, they’re allocated from some register area on the die. When they “zero” the upper portion of one of the large registers it doesn’t really clear it. It just releases the block back to available.
Another thing all CPUs need these days to keep fast is branch prediction. CPUs are only fast if they can keep the pipeline of upcoming commands (opcodes) to process full. So they often run both possible routes for a branch and discard the loser.
In this case they “trick” the CPU by asking it to “clear” a block of one of these large registers (the upper half). But then have the branch go the other way. What sometimes happens is that the register space is “released” but it has to take it back. In some specific circumstances they are able to have the register come back, but not with the original contents but with some random contents of maybe another register that was used by another thread (maybe even running on a different VM guest).
I have a server with a 3000 series CPU. I can confirm this definitely works. You’ll get all kind of random blocks of memory from processes running as all users (and kernel code). For AMD processors running VM servers it is even worse. Because if you have say a VPS running on an AMD Zen2 CPU, you can login as any user run this and get random data from people on other VPS on the same hardware!
There is a linux workaround, and it seems most CPUs will be fixed by December.
Note: If you have access to a VPS that is vulnerable, do note that in most countries it is illegal to even try to exploit this.