CPU Vulnerability Specter V2: New Rotation Affects AMD’s Ryzen and Epyc

CPU Vulnerability Specter V2: New Rotation Affects AMD's Ryzen and Epyc

A new type of branch target injection (BTI) aka Specter v2 supersedes AMD’s previous efforts to address these types of vulnerabilities. Inventor Pawel Wieczorkiewicz exploits a peculiarity of AMD processors of the Zen 1 and Zen 2 architecture generations, whose branch prediction units are followed by an unconditional branch instruction JMP Estimate ahead instead of terminating the instruction branch.

The approach is particularly interesting because of functional theory, which precludes previous protective measures. As of the current state, however, the vulnerability does not pose a major risk: SuSE released CVE-2021-26401 as 5.6 . is grouped with the CVSS score of As in “moderately dangerous”.

The reason for the classification is probably because the right circumstances to exploit this vulnerability are rarely found unless you carelessly create them yourself. And even then, only a handful of bytes can be read in a period of 0.5 to a few seconds, e.g. Wieczorkiewicz writes in the blog,

The original problem was already with ARM processors known as straight-line spec (SLS), but now affects AMD’s x86 CPUs as well, including desktop models Ryzen 1000 to Ryzen 3000, notebook Ryzen 2000 Some Ryzen 5000 (“Lucian” CPUs with all Zen 2 architectures) as well as the Epic 7001 and Epic 7002. AMD also names some older Bulldozer processors such as the Athlon A12-9800.

Starting with Zen 3, AMD’s processors use an improved branch prediction that does not show this peculiarity. On Intel, no Core i or Xeon CPUs are affected.

Security researcher Wieczorkiewicz explores new approaches during memory optimization to use cache more efficiently. AMD processors guessed so badly that they executed code that still existed in the Linux kernel but was actually buried long ago.

See also  Some new features in macOS Monterey won't work on Mac computers with Intel processors

In the case of RET– And JMP-Order, solve the problem a . can be solved by INT3Solve the instruction following a branched jump prediction. Feather CALLs can put one LFENCE-Directions, on the other hand, remarkably cost performance. this approach Recommends AMD in its security overview,


on home page


Please enter your comment!
Please enter your name here