Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-31346 PoC — AMD SEV-SNP 安全漏洞

Source
https://github.com/Freax13/cve-2023-31346-poc
Associated Vulnerability
Title:AMD SEV-SNP 安全漏洞 (CVE-2023-31346)
Description:AMD SEV-SNP是美国超威半导体(AMD)公司的一个安全加密虚拟化固件。使用单个密钥来加密系统内存。 AMD SEV-SNP存在安全漏洞,该漏洞源于未能初始化 SEV 固件中的内存。
Readme
# Firmware Memory Leak

The code here aims to demonstrate the memory leaks in guest messages headers and the CPUID request guest message.

# Prerequisites

- Install rustup.
- Install a Linux kernel with SEV-SNP host support. I used a kernel with my a few of own patches https://github.com/Freax13/linux/tree/snp-host-v9-rfc-with-my-patches.

# Usage

1. Reboot the machine
2. Run `cargo make run run` in the `host` directory.
3. Observe the logs for leaked values start values of pAlignedPTReqPayload after firmware initialization.
4. Run `cargo make run run-with id 123` in the `host` directory. This launches a guest with an id auth block set to all 123.
5. Observe the logs for id block in the leaked values.
6. Start a SEV-ES guest.
7. Observed the logs for leaked launch data. Note that the values here will only appear if more than one page was submitted in a single command. This will only happen if the guest data as submittetd by QEMU is contigous in physical memory. This chances of this are not very good so it might take more than a dozen attemps to trigger this.
File Snapshot

 [4.0K]  /data/pocs/e49c8ef47025ca9ee395108faef7fd56cdd70cb4
├── [4.0K]  common
│   ├── [4.3K]  Cargo.lock
│   ├── [ 302]  Cargo.toml
│   ├── [4.0K]  constants
│   │   ├── [  64]  Cargo.toml
│   │   └── [4.0K]  src
│   │       └── [ 179]  lib.rs
│   ├── [4.0K]  loader
│   │   ├── [ 346]  Cargo.toml
│   │   └── [4.0K]  src
│   │       ├── [4.7K]  elf.rs
│   │       └── [1.6K]  lib.rs
│   └── [4.0K]  snp-types
│       ├── [ 422]  Cargo.toml
│       └── [4.0K]  src
│           ├── [3.2K]  cpuid.rs
│           ├── [4.0K]  ghcb
│           │   └── [ 14K]  msr_protocol.rs
│           ├── [4.7K]  ghcb.rs
│           ├── [2.6K]  guest_message.rs
│           ├── [2.4K]  guest_policy.rs
│           ├── [ 185]  intercept.rs
│           ├── [1.9K]  lib.rs
│           └── [ 878]  secrets.rs
├── [4.0K]  host
│   ├── [ 18K]  Cargo.lock
│   ├── [ 370]  Cargo.toml
│   ├── [ 576]  Makefile.toml
│   └── [4.0K]  mushroom
│       ├── [ 717]  Cargo.toml
│       └── [4.0K]  src
│           ├── [ 29K]  kvm.rs
│           ├── [ 14K]  lib.rs
│           ├── [1.9K]  main.rs
│           └── [3.8K]  slot.rs
├── [1.0K]  LICENSE
├── [ 163]  mushroom.code-workspace
├── [1.1K]  README.md
├── [ 103]  rust-toolchain.toml
└── [4.0K]  tee
    ├── [ 11K]  Cargo.lock
    ├── [ 545]  Cargo.toml
    ├── [4.0K]  kernel
    │   ├── [ 213]  build.rs
    │   ├── [ 625]  Cargo.toml
    │   ├── [ 524]  kernel.json
    │   ├── [1.5K]  linker.ld
    │   └── [4.0K]  src
    │       ├── [1002]  exception.rs
    │       ├── [8.5K]  ghcb.rs
    │       ├── [1.2K]  logging.rs
    │       ├── [2.6K]  main.rs
    │       ├── [6.8K]  pagetable.rs
    │       ├── [ 165]  panic.rs
    │       ├── [ 866]  reset_vector.rs
    │       └── [6.7K]  reset_vector.s
    ├── [ 613]  Makefile.toml
    └── [4.0K]  serial-log
        ├── [ 188]  Cargo.toml
        └── [4.0K]  src
            └── [1.5K]  lib.rs

16 directories, 45 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.