Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZL6Kgih+pRaeA2e/@thinkstation.cmpxchg8b.net>
Date: Mon, 24 Jul 2023 07:28:18 -0700
From: Tavis Ormandy <taviso@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2023-20593: A use-after-free in AMD Zen2 Processors

Hello, this is CVE-2023-20593, a use-after-free in AMD Zen2 processors.

Yes, you read that right :)

This includes at least the following products:

- AMD Ryzen 3000 Series Processors
- AMD Ryzen PRO 3000 Series Processors
- AMD Ryzen Threadripper 3000 Series Processors
- AMD Ryzen 4000 Series Processors with Radeon Graphics
- AMD Ryzen PRO 4000 Series Processors
- AMD Ryzen 5000 Series Processors with Radeon Graphics
- AMD Ryzen 7020 Series Processors with Radeon Graphics
- AMD EPYC 7002 Series Processors

I've written a blog post with a detailed description of this bug,
it's available here:

https://lock.cmpxchg8b.com/zenbleed.html

# Background

The vector register file (RF) is a resource shared among all tasks on
the same physical core. The register allocation table (RAT) keeps track
of how RF resources are assigned and mapped to named registers. However,
no RF space is needed to store a register with a zero value - a flag
called the z-bit can simply be set in the RAT.

# Vulnerability

If the z-bit is set speculatively, then it would not be sufficient to
unset it again on branch misprediction. That's because the previously
allocated RF space could have been reallocated between those two events.
That would effectively be a UaF.

We have discovered that this really can happen under certain specific
conditions. Specifically, an instruction that uses merge optimization, a
register rename, and a mispredicted VZEROUPPER instruction must enter
the FP backend simultaneously.

# Impact

The practical result here is that you can spy on the registers of other
processes. No system calls or privileges are required.

It works across virtual machines and affects all operating systems.

I have written a poc for this issue that's fast enough to reconstruct
keys and passwords as users log in.

# Solution

AMD have released a patch for this issue available here:

https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=b250b32ab1d044953af2dc5e790819a7703b7ee6

There is a software workaround, you can set the chicken bit DE_CFG[9].
This may have some performance cost, and the microcode update is
preferred.

It is not sufficient to disable SMT.

# Credit

This bug was discovered by Tavis Ormandy of Google Information Security.


-- 
 _o)            $ lynx lock.cmpxchg8b.com
 /\\  _o)  _o)  $ finger taviso@....org
_\_V _( ) _( )  @taviso

Download attachment "zenbleed-v5.tar.gz" of type "application/gzip" (11790 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.