Re: Dumb Questions
There are two points of view: It is both a bug and an exploit.
In “bug” mode, a vzeroupper in your code shouldn’t be executed, but is actually executed by branch misprediction. When this misprediction is fixed, data from any process that happened to write to an xmm register may have overwritten your register. That’s obviously a bug. But it seems this is rare: I have the impression another process must write to a rename register just between the CPU mispredicting a branch around a vzeroupper instruction and fixing the misprediction, so only a handful of cycles.
In “exploit” mode the malware does exactly the same, but intentionally, and actually hopes that it’s data gets overwritten- because it knows some other process had written that data.
The reason why this doesn’t happen with ordinary registers is that they are protected from being written to while a predicted branch is running, and for some reason this doesn’t happen for vzeroupper.