Group of researchers from Technical University Dresden revealed Vulnerability (CVE-2020-12965) in AMD processors based on Zen + and Zen 2 microarchitectures, allowing you to make a class attack MeltDown . It was originally assumed that the AMD Zen + and Zen 2 processors are not subject to MeltDown vulnerabilities, but researchers identified a feature that leads to speculative reference to protected memory areas when using non-canonical virtual addresses.
AMD64 architecture implies the use of only the first 48 bits of the virtual address and ignoring the remaining 16 bits. At the same time it is determined that bits from 48 to 63 should always copy the value of 47 bits (expanding the icon bit). In case of violation of this condition and attempt to appeal to the address with arbitrary values of the upper bits, the processor generates an exception. The repeated filling of the upper bits leads to the separation of the available address space into two blocks – the bottom (from 0 to 00007ffffffffffff), in which the upper bits are reset, and the top (from FFFFF8000000000 to FFFFFFFFFFFFFF), in which all the upper bits are exhibited in 1.
Addresses falling under the specified blocks are called canonical, and incorrect addresses with arbitrary content of the upper bits – non-canonical. The lower range of canonical addresses is usually highlighted for process data, and the upper is used for the nucleus data (access to the specified addresses from the user space is blocked at the level of the privilege of the privileges).
The classical MeltDown vulnerability is based on the fact that during the speculative execution of instructions, the processor can appeal to a closed data area, after which the result is discarded as the privileges are prohibited from the user process. The program speculatively executed block is separated from the main code to the conditional transition, which in real conditions always works, but due to the fact that the calculated value is used in the conditional statement, which the processor does not know during the proactive execution of the code, the speculative execution of all branch options is carried out.