Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-31346 PoC — AMD SEV-SNP 安全漏洞

Source
https://github.com/Freax13/cve-2023-31346-poc
Associated Vulnerability
Title:AMD SEV-SNP 安全漏洞 (CVE-2023-31346)
Description:Failure to initialize memory in SEV Firmware may allow a privileged attacker to access stale data from other guests.
Readme
# Firmware Memory Leak

The code here aims to demonstrate the memory leaks in guest messages headers and the CPUID request guest message.

# Prerequisites

- Install rustup.
- Install a Linux kernel with SEV-SNP host support. I used a kernel with my a few of own patches https://github.com/Freax13/linux/tree/snp-host-v9-rfc-with-my-patches.

# Usage

1. Reboot the machine
2. Run `cargo make run run` in the `host` directory.
3. Observe the logs for leaked values start values of pAlignedPTReqPayload after firmware initialization.
4. Run `cargo make run run-with id 123` in the `host` directory. This launches a guest with an id auth block set to all 123.
5. Observe the logs for id block in the leaked values.
6. Start a SEV-ES guest.
7. Observed the logs for leaked launch data. Note that the values here will only appear if more than one page was submitted in a single command. This will only happen if the guest data as submittetd by QEMU is contigous in physical memory. This chances of this are not very good so it might take more than a dozen attemps to trigger this.
File Snapshot

 [4.0K]  /data/pocs/e49c8ef47025ca9ee395108faef7fd56cdd70cb4
├── [4.0K]  common
│   ├── [4.3K]  Cargo.lock
│   ├── [ 302]  Cargo.toml
│   ├── [4.0K]  constants
│   │   ├── [  64]  Cargo.toml
│   │   └── [4.0K]  src
│   │       └── [ 179]  lib.rs
│   ├── [4.0K]  loader
│   │   ├── [ 346]  Cargo.toml
│   │   └── [4.0K]  src
│   │       ├── [4.7K]  elf.rs
│   │       └── [1.6K]  lib.rs
│   └── [4.0K]  snp-types
│       ├── [ 422]  Cargo.toml
│       └── [4.0K]  src
│           ├── [3.2K]  cpuid.rs
│           ├── [4.0K]  ghcb
│           │   └── [ 14K]  msr_protocol.rs
│           ├── [4.7K]  ghcb.rs
│           ├── [2.6K]  guest_message.rs
│           ├── [2.4K]  guest_policy.rs
│           ├── [ 185]  intercept.rs
│           ├── [1.9K]  lib.rs
│           └── [ 878]  secrets.rs
├── [4.0K]  host
│   ├── [ 18K]  Cargo.lock
│   ├── [ 370]  Cargo.toml
│   ├── [ 576]  Makefile.toml
│   └── [4.0K]  mushroom
│       ├── [ 717]  Cargo.toml
│       └── [4.0K]  src
│           ├── [ 29K]  kvm.rs
│           ├── [ 14K]  lib.rs
│           ├── [1.9K]  main.rs
│           └── [3.8K]  slot.rs
├── [1.0K]  LICENSE
├── [ 163]  mushroom.code-workspace
├── [1.1K]  README.md
├── [ 103]  rust-toolchain.toml
└── [4.0K]  tee
    ├── [ 11K]  Cargo.lock
    ├── [ 545]  Cargo.toml
    ├── [4.0K]  kernel
    │   ├── [ 213]  build.rs
    │   ├── [ 625]  Cargo.toml
    │   ├── [ 524]  kernel.json
    │   ├── [1.5K]  linker.ld
    │   └── [4.0K]  src
    │       ├── [1002]  exception.rs
    │       ├── [8.5K]  ghcb.rs
    │       ├── [1.2K]  logging.rs
    │       ├── [2.6K]  main.rs
    │       ├── [6.8K]  pagetable.rs
    │       ├── [ 165]  panic.rs
    │       ├── [ 866]  reset_vector.rs
    │       └── [6.7K]  reset_vector.s
    ├── [ 613]  Makefile.toml
    └── [4.0K]  serial-log
        ├── [ 188]  Cargo.toml
        └── [4.0K]  src
            └── [1.5K]  lib.rs

16 directories, 45 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →