update: linux-firmware and Linux Kernel (Zenbleed)

[dongsupark]

Name: linux-firmware
CVEs: CVE-2023-20593
CVSSs: 5.5
Action Needed:

• linux-firmware (the ideal fix): update to >= 20230625_p20230724 for some AMD processors, TBD for others
• Kernel (a fallback fix): update to >= 6.1.41, 5.15.122, 5.10.187

Summary:
(quotes from https://seclists.org/oss-sec/2023/q3/59)

This includes at least the following products:

• AMD Ryzen 3000 Series Processors
• AMD Ryzen PRO 3000 Series Processors
• AMD Ryzen Threadripper 3000 Series Processors
• AMD Ryzen 4000 Series Processors with Radeon Graphics
• AMD Ryzen PRO 4000 Series Processors
• AMD Ryzen 5000 Series Processors with Radeon Graphics
• AMD Ryzen 7020 Series Processors with Radeon Graphics
• AMD EPYC 7002 Series Processors

I've written a blog post with a detailed description of this bug, it's available here:

https://lock.cmpxchg8b.com/zenbleed.html

Background

The vector register file (RF) is a resource shared among all tasks on the same physical core. The register allocation table (RAT) keeps track of how RF resources are assigned and mapped to named registers. However, no RF space is needed to store a register with a zero value - a flag called the z-bit can simply be set in the RAT.

Vulnerability

If the z-bit is set speculatively, then it would not be sufficient to unset it again on branch misprediction. That's because the previously allocated RF space could have been reallocated between those two events. That would effectively be a UaF.

We have discovered that this really can happen under certain specific conditions. Specifically, an instruction that uses merge optimization, a register rename, and a mispredicted VZEROUPPER instruction must enter the FP backend simultaneously.

Impact

The practical result here is that you can spy on the registers of other processes. No system calls or privileges are required.

It works across virtual machines and affects all operating systems.

I have written a poc for this issue that's fast enough to reconstruct keys and passwords as users log in.

Solution

AMD have released a patch for this issue available here:

https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=b250b32ab1d044953af2dc5e790819a7703b7ee6

There is a software workaround, you can set the chicken bit DE_CFG[9].
This may have some performance cost, and the microcode update is
preferred.

It is not sufficient to disable SMT.

refmap.gentoo: https://bugs.gentoo.org/911160

[dongsupark]

Updated the subject to include Linux Kernel as a fallback fix.

Ideal fix: Gentoo's linux-firmware 20230625_p20230724 includes fixes for some AMD processors, but not for all. This part needs further tracking.

As a fallback, Stable Kernels 6.1.41, 5.15.122, 5.10.187 are available for fixing that.

[vielmetti]

I see that the target release date for this is 2023-08-07 - I know this issue was under embargo for some time and that the embargo lifted abruptly. Considerable interest in seeing this fix deployed.

The upstream Gentoo issue looks like it's at https://bugs.gentoo.org/show_bug.cgi?id=CVE-2023-20593 where it is labelled "zenrot" .

[dongsupark]

Both linux-firmware and Linux Kernel were updated.
It will be fixed in the next release.

[dongsupark]

Alpha 3689.0.0, Beta 3602.1.4, Stable 3510.2.6, and LTS 3033.3.16 have the fix.