Date: Mon, 24 Jul 2023 07:28:18 -0700 From: Tavis Ormandy <taviso@...il.com> To: oss-security@...ts.openwall.com Subject: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Hello, this is CVE-2023-20593, a use-after-free in AMD Zen2 processors. Yes, you read that right :) This includes at least the following products: - AMD Ryzen 3000 Series Processors - AMD Ryzen PRO 3000 Series Processors - AMD Ryzen Threadripper 3000 Series Processors - AMD Ryzen 4000 Series Processors with Radeon Graphics - AMD Ryzen PRO 4000 Series Processors - AMD Ryzen 5000 Series Processors with Radeon Graphics - AMD Ryzen 7020 Series Processors with Radeon Graphics - AMD EPYC 7002 Series Processors I've written a blog post with a detailed description of this bug, it's available here: https://lock.cmpxchg8b.com/zenbleed.html # Background The vector register file (RF) is a resource shared among all tasks on the same physical core. The register allocation table (RAT) keeps track of how RF resources are assigned and mapped to named registers. However, no RF space is needed to store a register with a zero value - a flag called the z-bit can simply be set in the RAT. # Vulnerability If the z-bit is set speculatively, then it would not be sufficient to unset it again on branch misprediction. That's because the previously allocated RF space could have been reallocated between those two events. That would effectively be a UaF. We have discovered that this really can happen under certain specific conditions. Specifically, an instruction that uses merge optimization, a register rename, and a mispredicted VZEROUPPER instruction must enter the FP backend simultaneously. # Impact The practical result here is that you can spy on the registers of other processes. No system calls or privileges are required. It works across virtual machines and affects all operating systems. I have written a poc for this issue that's fast enough to reconstruct keys and passwords as users log in. # Solution AMD have released a patch for this issue available here: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=b250b32ab1d044953af2dc5e790819a7703b7ee6 There is a software workaround, you can set the chicken bit DE_CFG. This may have some performance cost, and the microcode update is preferred. It is not sufficient to disable SMT. # Credit This bug was discovered by Tavis Ormandy of Google Information Security. -- _o) $ lynx lock.cmpxchg8b.com /\\ _o) _o) $ finger taviso@....org _\_V _( ) _( ) @taviso Download attachment "zenbleed-v5.tar.gz" of type "application/gzip" (11790 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.