Lucene search

K
xenXen ProjectXSA-439
HistorySep 25, 2023 - 4:03 p.m.

x86/AMD: Divide speculative information leak

2023-09-2516:03:00
Xen Project
xenbits.xen.org
32
x86
amd
speculative leak
zen1
microarchitecture
covert channel
speculative execution
security vulnerability
xen.

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

17.6%

ISSUE DESCRIPTION

In the Zen1 microarchitecure, there is one divider in the pipeline which services uops from both threads. In the case of #DE, the latched result from the previous DIV to execute will be forwarded speculatively.
This is a covert channel that allows two threads to communicate without any system calls. In also allows userspace to obtain the result of the most recent DIV instruction executed (even speculatively) in the core, which can be from a higher privilege context.
For more information, see: * <a href=โ€œhttps://www.amd.com/en/resources/product-security/bulletin/amd-sb-7007.htmlโ€>https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7007.html</a>

IMPACT

An attacker might be able to infer data from a different execution context on the same CPU core.

VULNERABLE SYSTEMS

All versions of Xen are vulnerable.
Only AMD Zen1 CPUs are believed to be vulnerable.

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

17.6%