Search This Blog

Powered by Blogger.

Blog Archive

Labels

Zen 1 Vulnerability AMD Patchwork Proved Weak, Second Pass Issued

According to the findings, AMD's CPU may have kept "stale quotient data" within its registers even after the patch-work was over.


While AMD engineers have already patched their Zen 1 “Division by Zero” bug, it was not the end of their problems, as the company may have released a patch quickly, but perhaps a little too quickly: claims Borislav Petkov, an AMD Linux Engineer. He apparently fixed the issue concerning AMD with the original solution (mentioned in a statement published by Petkov). It is just another example of the challenges in protecting against potential attack routes.

According to the findings, AMD's CPU may have kept "stale quotient data" within its registers even after the patchwork was over, consequently providing attackers with a window to retrieve private information. The original fix was to conduct a final “dummy division 0/1 before returning from the #DE exception handler.” The idea is quite straightforward: after completing the 0/1 division, which always yields zero results, any remaining old data would be eliminated.

The drawback of the fix, explained by Petkov, was that the speculative execution attack would have progressed too far by the time that the security feature took effect. There would already be some outdated data on AMD's divider, which the attackers could access before the dummy division kicked in. 

Petkov notes that his new solution now upholds that same division in several scenarios:

"Initially, it was thought that doing an innocuous division in the #DE handler would take care to prevent any leaking of old data from the divider but by the time the fault is raised, the speculation has already advanced too far and such data could already have been used by younger operations,” says Petkov. “Therefore, do the innocuous division on every exit to userspace so that userspace doesn't see any potentially old data from integer divisions in kernel space[…]Do the same before VMRUN too, to protect host data from leaking into the guest too,"

Similar instances indicate how busy this month turned out to be for vulnerabilities in the CPU realm, for both AMD and Intel. From Intel’s severe Downfall vulnerability (affecting Skylake through Tiger Lake/Rocket Lake) to AMD's SQUIP and Inception vulnerabilities and the now re-fixed "divide by zero" vulnerability, researchers have shown much determination in solving the issues. 

However, while these new issues are connected to speculative execution vulnerabilities, they still do not come close to the illustrious history of Meltdown and Spectre days. Speculative execution describes how contemporary CPUs attempt to foresee calculation steps before they are even required, ensuring that the essential data is already available in the event that the execution is asked for. Although several of those vulnerabilities' remedies resulted in (often significant) performance costs, it is at least encouraging that AMD's 0/1 dummy division does not have any additional expenses.

Share it:

AMD

AMD Zen 1 CPUs

Intel

Spectre

SQUIP and Inception Vulnerability

Vulnerabilities and Exploits

Zen 1 Vulnerability