6.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
5.6 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
28.7%
General-purpose graphics processing unit (GPGPU) platforms from AMD, Apple, and Qualcomm fail to adequately isolate process memory, thereby enabling a local attacker to read memory from other processes. An attacker with access to GPU capabilities using a vulnerable GPUβs programmable interface can access memory that is expected to be isolated from other users and processes.
Graphics processing units (GPUs), originally used to accelerate computer graphics, have today become the standard hardware accelerators for scientific computing and articifical intelligence / machine learning (AI/ML) applications due to their massive parallelism and high memory bandwidth. A GPGPU platform provides the ability to copy CPU memory to the GPU in order to perform these high-end computing tasks. The GPU kernel, essentially a user-provided C-like program that executes on the GPU, performs such intense numerical computations on the memory copied data. Afterwards, the CPU can copy the data back to present to the user or perform other tasds. This GPU-enabled high-performance computing is beneficial in many domains, including the training of artificial neural networks, doing inference on neural networks, and scientific computing. GPGPU platforms are useful in accelerating any task where operations such as matrix multiplication dominate the computation time. While GPGPUs are an essential part of large-scale ML implementations, such as Large Language Models (LLMs), they also serve a role as accelerators in client computing from applications to middleware. Standards, such as OpenCL (Open Computing Language) and Appleβs Metal, are frameworks that provide specifications for enabling such βclose-to-metalβ programming by giving applications direct access to these rich GPU computing capabilities on mobile devices and in high-performance computing datacenters.
Researchers at Trail of Bits have uncovered a vulnerability in which a GPU kernel can observe memory values from a different GPU kernel, even when these two kernels are isolated between applications, processes, or users. The specific region of memory that this behavior was observed is referred to as local memory
, essentially this is a software-managed cache, similar to the L1 cache in CPUs. The size of this memory region can vary across GPUs from 10βs of KB to several MB. Trail of Bits have shown that this vulnerability can be observed through various programming interfaces, including Metal, Vulkan, and OpenCL, on various combinations of operating systems and drivers. Trail of Bitsβ research and testing, utilizing open-source software libraries, have identified platforms from AMD, Apple, and Qualcomm that exhibit this behavior. During the testing phase, this issue was not observed on NVIDIA devices. For further information review the information provided by Apple, AMD and Google in the Vendor Information section.
Researcher Tyler Sorenson, from Tail of Bits, states:
> Due to the fact that most DNN computations (matrix multiplication and convolutions) make heavy use of local memory, the researchers also believe many ML implementations, both in the embedded domain as well as datacenter domain, may be impacted by this vulnerability.
The security researchers at Trail of Bits have labeled this vulnerability LeftoverLocals
in order to identify this vulnerability when discussing across multiple GPU platforms.
The GPU marketplace contains a wide and complex software supply-chain to facilitate the adoption of the advanced capabilities of GPUs. We expect that resolving these issues will require multiple stakeholders from hardware manufacturers, software library providers, programmers, system integrators standards bodies to cooperate. Prior resaerch work in this area has shown that resolving these issues may require a multi-pronged, ongoing-process approach.
An attacker with access to a GPU programmable interface, like OpenCL or Metal, can craft and install a malicious application capable of recording a dump of uninitialized local memory (leftover from an earlier application) that may contain sensitive data. Additionally, the attacker can read data from another GPU kernel that is currently processing data, leading to the leakage of sensitive information considered private to an application, process, or user.
GPU software developers are advised to review their vendor provided updates and use the latest available libraries and security capabilities to protect sensitive data in their applications. GPU software developers are also urged to review their applications for data privacy when leveraging such high-performance computing capabilities.
Review the Vendor Information section for software updates and additional information provided by the vendors, ensure your devices are up to date and have the security protection provided by your vendors.
Tyler Sorensen, along with the ML safety team, of Trail of Bits researched and reported these vulnerabilities. Vendors and the Khronos Group worked closely with us and other stakeholders to enable coordinated disclosure of these vulnerabilities. This document was written by Ben Koo and Vijay Sarvepalli.
446598
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Notified: 2023-09-08 Updated: 2024-01-16
Statement Date: January 11, 2024
CVE-2023-4969 | Affected |
---|
We have not received a statement from the vendor.
Notified: 2023-09-15 Updated: 2024-01-16
Statement Date: September 15, 2023
CVE-2023-4969 | Affected |
---|
We have not received a statement from the vendor.
Notified: 2023-09-08 Updated: 2024-01-16
Statement Date: January 13, 2024
CVE-2023-4969 | Affected |
---|
We want to thank the researchers for their collaboration as this research advances our understanding of these types of threats. Fixes for the issues outlined in this research shipped with the M3 and A17 processors.
Notified: 2024-01-14 Updated: 2024-01-17
Statement Date: January 17, 2024
CVE-2023-4969 | Affected |
---|
Imagination released a fix in their latest DDK release, 23.3, made available to customers in December 2023.
Notified: 2023-09-19 Updated: 2024-01-16
Statement Date: January 08, 2024
CVE-2023-4969 | Affected |
---|
We have not received a statement from the vendor.
Notified: 2023-09-26 Updated: 2024-01-16
Statement Date: October 18, 2023
CVE-2023-4969 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2023-09-15 Updated: 2024-01-16
Statement Date: December 05, 2023
CVE-2023-4969 | Not Affected |
---|
Arm has analyzed the PoC and the output it has produced, and has concluded that Mali is unaffected by this issue. The non-zero data seen in the PoC is due to memory reuse from within the process. We can confirm that no data was leaked from one userspace process to another.
Notified: 2023-09-11 Updated: 2024-01-16
Statement Date: September 29, 2023
CVE-2023-4969 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2023-09-19 Updated: 2024-01-16
Statement Date: November 15, 2023
CVE-2023-4969 | Not Affected |
---|
CRM:0456000399 Thank you again for submitting this issue to Microsoft. We determined that this behavior is considered to be by design.
We have closed this case.
Notified: 2023-09-11 Updated: 2024-01-16
Statement Date: September 29, 2023
CVE-2023-4969 | Not Affected |
---|
Our development teams investigated this finding and determined we are not affected by this issue.
Notified: 2023-10-03 Updated: 2024-01-16
Statement Date: October 18, 2023
CVE-2023-4969 | Not Affected |
---|
We have not received a statement from the vendor.
Notified: 2023-09-26 Updated: 2024-01-16 CVE-2023-4969 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-09-27 Updated: 2024-01-16 CVE-2023-4969 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-09-26 Updated: 2024-01-16 CVE-2023-4969 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-09-11 Updated: 2024-01-16
Statement Date: September 15, 2023
CVE-2023-4969 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-09-26 Updated: 2024-01-16 CVE-2023-4969 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-09-27 Updated: 2024-01-16 CVE-2023-4969 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-09-19 Updated: 2024-01-16 CVE-2023-4969 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-09-26 Updated: 2024-01-16 CVE-2023-4969 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-09-11 Updated: 2024-01-16 CVE-2023-4969 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-10-02 Updated: 2024-01-16 CVE-2023-4969 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-09-26 Updated: 2024-01-16 CVE-2023-4969 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-09-08 Updated: 2024-01-16 CVE-2023-4969 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-09-26 Updated: 2024-01-16 CVE-2023-4969 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-12 Updated: 2024-01-16 CVE-2023-4969 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-09-26 Updated: 2024-01-16 CVE-2023-4969 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-10-05 Updated: 2024-01-16 CVE-2023-4969 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-09-26 Updated: 2024-01-16 CVE-2023-4969 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-10-03 Updated: 2024-01-16 CVE-2023-4969 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-09-26 Updated: 2024-01-16 CVE-2023-4969 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2023-10-03 Updated: 2024-01-16 CVE-2023-4969 | Unknown |
---|
We have not received a statement from the vendor.
View all 31 vendors __View less vendors __
CVE IDs: | CVE-2023-4969 |
---|---|
API URL: | VINCE JSON |
Date Public: | 2024-01-16 Date First Published: |
arxiv.org/pdf/1605.06610.pdf
devblogs.microsoft.com/directx/announcing-the-opencl-and-opengl-compatibility-pack-for-windows-10-on-arm/
developer.apple.com/documentation/metal/performing_calculations_on_a_gpu
developer.arm.com/Processors/Mali-G78
developer.mozilla.org/en-US/docs/Web/API/WebGPU_API
developer.nvidia.com/cuda-toolkit
dl.acm.org/doi/10.1145/2801153
github.com/Mesa3D/mesa/blob/957009978ef6d7121fc0d710d03bc20097d4d46b/src/amd/vulkan/radv_shader.c#L709
registry.khronos.org/OpenCL/specs/3.0-unified/html/OpenCL_API.html#_fundamental_memory_regions
researchcomputing.princeton.edu/support/knowledge-base/gpu-computing
source.android.com/docs/core/graphics/arch-vulkan
www.amd.com/en/technologies/vulkan
www.imaginationtech.com/product/ge8320/
www.vulkan.org
6.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
5.6 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
28.7%