update: linux-firmware and Linux Kernel (Zenbleed) #1134
Labels
advisory
security advisory
area/kernel
Issues related to kernel
channel/alpha
Issue concerns the Alpha channel.
channel/beta
Issue concerns the Beta channel.
channel/lts
channel/stable
Issue concerns the Stable channel.
cvss/MEDIUM
>= 4 && < 7 assessed CVSS
security
security concerns
Name: linux-firmware
CVEs: CVE-2023-20593
CVSSs: 5.5
Action Needed:
Summary:
(quotes from https://seclists.org/oss-sec/2023/q3/59)
This includes at least the following products:
I've written a blog post with a detailed description of this bug, it's available here:
https://lock.cmpxchg8b.com/zenbleed.html
Background
The vector register file (RF) is a resource shared among all tasks on the same physical core. The register allocation table (RAT) keeps track of how RF resources are assigned and mapped to named registers. However, no RF space is needed to store a register with a zero value - a flag called the z-bit can simply be set in the RAT.
Vulnerability
If the z-bit is set speculatively, then it would not be sufficient to unset it again on branch misprediction. That's because the previously allocated RF space could have been reallocated between those two events. That would effectively be a UaF.
We have discovered that this really can happen under certain specific conditions. Specifically, an instruction that uses merge optimization, a register rename, and a mispredicted VZEROUPPER instruction must enter the FP backend simultaneously.
Impact
The practical result here is that you can spy on the registers of other processes. No system calls or privileges are required.
It works across virtual machines and affects all operating systems.
I have written a poc for this issue that's fast enough to reconstruct keys and passwords as users log in.
Solution
AMD have released a patch for this issue available here:
https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=b250b32ab1d044953af2dc5e790819a7703b7ee6
There is a software workaround, you can set the chicken bit DE_CFG[9].
This may have some performance cost, and the microcode update is
preferred.
It is not sufficient to disable SMT.
refmap.gentoo: https://bugs.gentoo.org/911160
The text was updated successfully, but these errors were encountered: