oss-sec mailing list archives
Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors
From: Marc Deslauriers <marc.deslauriers () canonical com>
Date: Mon, 24 Jul 2023 13:41:36 -0400
Hi, There seems to be confusion regarding which is the correct commit:Your blog post says it's 0bc3126c9cfa0b8c761483215c25382f831a7c6f which is for family 17h.
This post says it's b250b32ab1d044953af2dc5e790819a7703b7ee6 which is for family 19h.
I assume the 17h family one is the correct one? Thanks, Marc. On 2023-07-24 10:28, Tavis Ormandy wrote:
Hello, this is CVE-2023-20593, a use-after-free in AMD Zen2 processors. Yes, you read that right :) This includes at least the following products: - AMD Ryzen 3000 Series Processors - AMD Ryzen PRO 3000 Series Processors - AMD Ryzen Threadripper 3000 Series Processors - AMD Ryzen 4000 Series Processors with Radeon Graphics - AMD Ryzen PRO 4000 Series Processors - AMD Ryzen 5000 Series Processors with Radeon Graphics - AMD Ryzen 7020 Series Processors with Radeon Graphics - AMD EPYC 7002 Series Processors I've written a blog post with a detailed description of this bug, it's available here: https://lock.cmpxchg8b.com/zenbleed.html # Background The vector register file (RF) is a resource shared among all tasks on the same physical core. The register allocation table (RAT) keeps track of how RF resources are assigned and mapped to named registers. However, no RF space is needed to store a register with a zero value - a flag called the z-bit can simply be set in the RAT. # Vulnerability If the z-bit is set speculatively, then it would not be sufficient to unset it again on branch misprediction. That's because the previously allocated RF space could have been reallocated between those two events. That would effectively be a UaF. We have discovered that this really can happen under certain specific conditions. Specifically, an instruction that uses merge optimization, a register rename, and a mispredicted VZEROUPPER instruction must enter the FP backend simultaneously. # Impact The practical result here is that you can spy on the registers of other processes. No system calls or privileges are required. It works across virtual machines and affects all operating systems. I have written a poc for this issue that's fast enough to reconstruct keys and passwords as users log in. # Solution AMD have released a patch for this issue available here: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=b250b32ab1d044953af2dc5e790819a7703b7ee6 There is a software workaround, you can set the chicken bit DE_CFG[9]. This may have some performance cost, and the microcode update is preferred. It is not sufficient to disable SMT. # Credit This bug was discovered by Tavis Ormandy of Google Information Security.
Current thread:
- CVE-2023-20593: A use-after-free in AMD Zen2 Processors Tavis Ormandy (Jul 24)
- Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Marc Deslauriers (Jul 24)
- Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Jonathan Gray (Jul 25)
- Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors alice (Jul 25)
- Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Eddie Chapman (Jul 25)
- Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Matthias Schmidt (Jul 25)
- Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Demi Marie Obenour (Jul 25)
- Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Lucas Rolff (Jul 25)
- Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Jeffrey Walton (Jul 25)
- Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors alice (Jul 25)
- Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Jonathan Gray (Jul 25)
- Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Marc Deslauriers (Jul 24)