x86/AMD: Zenbleed

ISSUE DESCRIPTION

Researchers at Google have discovered Zenbleed, a hardware bug causing corruption of the vector registers.
When a VZEROUPPER instruction is discarded as part of a bad transient execution path, its effect on internal tracking are not unwound correctly. This manifests as the wrong micro-architectural state becoming architectural, and corrupting the vector registers.
Note: While this malfunction is related to speculative execution, this is not a speculative sidechannel vulnerability.
The corruption is not random. It happens to be stale values from the physical vector register file, a structure competitively shared between sibling threads. Therefore, an attacker can directly access data from the sibling thread, or from a more privileged context.
For more details, see: <a href=“https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html”>https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html</a> <a href=“https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8”>https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8</a>

IMPACT

With very low probability, corruption of the vector registers can occur. This data corruption causes mis-calculations in subsequent logic.
An attacker can exploit this bug to read data from different contexts on the same core. Examples of such data includes key material, cypher and plaintext from the AES-NI instructions, or the contents of REP-MOVS instructions, commonly used to implement memcpy().

VULNERABLE SYSTEMS

Systems running all versions of Xen are affected.
This bug is specific to the AMD Zen2 microarchitecture. AMD do not believe that other microarchitectures are affected.