Bug 2217845 (CVE-2023-20593, zenbleed)

Summary: CVE-2023-20593 hw: amd: Cross-Process Information Leak
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, allarkin, arun, bhu, chwhite, dbohanno, ddepaula, debarbos, dfreiber, dvlasenk, esyr, ezulian, fandrieu, fweimer, germano.massullo, hartsjc, henrik.henriksson, hkrzesin, jarod, jburrell, jdenham, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jpoimboe, jshortt, jstancek, jwyatt, kcarcia, kcook34, kernel-mgr, kilian, ldoskova, lgoncalv, lleshchi, lzampier, mcascell, mdogra, mpanaous, mtonneso, mvanderw, nbertolus, ngalvin, nmurray, pratshar, ptalbert, qzhao, redhat-bugzilla, rik.theys, robert.derooy, robert.scheck, rogbas, rparrazo, rrobaina, rvrbovsk, rysulliv, sbalasub, scweaver, security-response-team, swood, tglozar, toracat, tyberry, vkumar, walters, wcosta, williams, wmealing, ycote, ymankad, youssef.ghorbal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in hw, in “Zen 2” CPUs. This issue may allow an attacker to access sensitive information under specific microarchitectural circumstances.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2226820, 2226821, 2226822, 2226823, 2226824, 2226826, 2226827, 2226828, 2226829, 2226830, 2226831, 2226832, 2226833, 2226834, 2226835, 2226836, 2226837, 2226838, 2226839, 2226840, 2226841, 2226842, 2226860, 2227144, 2227145, 2227146, 2227147, 2227148, 2227149, 2227150, 2227151, 2227152, 2227153, 2227154, 2227155, 2227156, 2226819, 2226843    
Bug Blocks: 2180682    

Description Rohit Keshri 2023-06-27 09:25:13 UTC 
An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information.

Under specific microarchitectural circumstances, a register in “Zen 2” CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information.

Refer:
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html
Comment 1 Rohit Keshri 2023-06-27 09:44:50 UTC 
Affected Products:

“Zen 2” Architecture-based Client and Server platforms

Desktop
AMD RyzenTM 3000 Series Processors
AMD RyzenTM PRO 3000 Series Processors
AMD RyzenTM ThreadripperTM 3000 Series Processors
AMD RyzenTM 4000 Series Processors with RadeonTM Graphics
AMD RyzenTM PRO 4000 Series Desktop Processors

Mobile
AMD RyzenTM 5000 Series Processors with RadeonTM Graphics
AMD RyzenTM 7020 Series Processors with RadeonTM Graphics

Datacenter
AMD EPYCTM 7002 Processors
Comment 10 Youssef Ghorbal 2023-07-26 13:32:48 UTC 
Hello,

 I'm not sure what info are needed to move forward and issue a linux-firmware package including the upstream fix.
 The technical details of the issue are here [0]
 The upstream fix is here [1]

 Its weird that the Red Hat related page[2] states that none of RHEL versions are affected.
 
Youssef Ghorbal

[0] https://lock.cmpxchg8b.com/zenbleed.html
[1] https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=0bc3126c9cfa0b8c761483215c25382f831a7c6f
[2] https://access.redhat.com/security/cve/cve-2023-20593
Comment 12 Kilian Cavalotti 2023-07-26 15:27:37 UTC 
https://access.redhat.com/security/cve/cve-2023-20593 lists kernel packages as "not affected", which is both true and completely irrelevant: CVE-2023-20593 is not a kernel issue (even though some kernel-side mitigations exist), it's a CPU problem and the fix is a microcode update.

Could we please get a linux-firmware update that contains the updated µcode in https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=0bc3126c9cfa0b8c761483215c25382f831a7c6f?

Debian already released an updated amd64-microsode package 2 days ago, so with Red Hat still not having even correctly assessed the issue, let alone provided any fix or mitigation, it's hard for customers to understand the value of paying an Enterprise support license in the hope of getting timely security updates. Or support.
Comment 13 Rohit Keshri 2023-07-26 16:37:27 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2226819]
Comment 22 Justin M. Forbes 2023-08-07 21:31:42 UTC 
This was fixed for Fedora with the 6.4.6 stable kernel updates.
Comment 24 rderooy.lxp 2023-08-09 12:11:59 UTC 
If this was fixed in the Fedora 6.4.6 kernel then:

- How come the release nodes for this kernel (or newer kernels up to 6.4.8) make no mention of it
- How was this fixed in a kernel update when this is actually a CPU microcode issue? Was the "chicken bit" workaround integrated into the kernel?

The actual microcode fix should be released as part of a new linux-firmware-20230804-152 package, which right now for Fedora is still in "Testing".
https://packages.fedoraproject.org/pkgs/linux-firmware/linux-firmware/

When can we expect this updated firmware package, to actually fix this issue, to be released for RHEL? After all this CVE has been public since the 24th of July.
Comment 25 Youssef Ghorbal 2023-08-16 09:18:20 UTC 
So Fedora is getting security fixes faster that RHEL now?
Seriously what's the point of beeing a paying RHEL curtomer?
What's the plan for this to be fixed in RHEL? Are we talking day? weeks?