SUSE Support

Here When You Need Us

Security Vulnerability: CVE-2022-40982: CPU transient information leakage from GATHER instructions aka "Gather Data Sampling" aka "DOWNFALL"

This document (000021170) is provided subject to the disclaimer at the end of this document.

Environment

For a comprehensive list of affected products please review the SUSE CVE announcement:
https://www.suse.com/security/cve/CVE-2022-40982.html

Situation

Security researcher Daniel Moghimi has identified a transient information leakage from GATHER instructions on modern Intel CPUs (Skylake to Tiger Lake generations).

This can be used to leak secret data contained in vector registers, which due to use of these instructions in memory copy operations can basically be all information. This information leak can cross process and privilege boundaries.

Resolution

Intel has released CPU Microcode to mitigate these issues. The CPU Microcode is mandatory for mitigation, the mitigation is default enabled.

SUSE will release updated ucode-intel packages, version 20230808 or newer contain the mitigations.

If there is no CPU Microcode available, the "avx" instructions can be hidden from CPUID reporting by the kernel.

Also kernel and XEN changes are being applied, to:

- allow disabling the mitigation
- reporting affectedness of the CPU and state of the mitigation

SUSE will release kernel and XEN updates. 

Mitigation reporting:

The mitigation state is reported via sysfs file:

    /sys/devices/system/cpu/vulnerabilities/gather_data_sampling

The file can report:

- Not affected                  

  This processor not vulnerable.

- Vulnerable

  This processor is vulnerable and the mitigation is disabled.

- Vulnerable: No microcode
  
  This processor is vulnerable and the microcode is missing mitigation.

- Mitigation: Microcode

  This processor is vulnerable and the mitigation is in effect.

- Mitigation: Microcode (locked)

  This processor is vulnerable and the mitigation is in effect and cannot be
  disabled.

- Unknown: Dependent on hypervisor status

  Running on a virtual guest processor that is affected but with no way to know if host processor is mitigated or vulnerable.
  This can happen if the hypervisor does not expose necessary MSR registers to guests.

Kernel commandline options:

- gather_data_sampling=off

  Switch off this specific mitigation (the default is "on").

- mitigations=off

  Switch off all CPU transient execution mitigations, including the gather data sampling one.

- clearcpuid=avx

  This option hides the AVX instructions from CPUID flags, so existing optimized code will
  not use AVX instructions, fallback to other variants and so not expose the vulnerability.
 

Status

Security Alert

Additional Information

https://www.suse.com/security/cve/CVE-2022-40982.html
https://downfall.page/
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00828.html

Performance Considerations

The mitigation impacts performance of the GATHER parts of the AVX2 and AVX512 instructions, and potentially operations that are translated within the CPU to use these vector instructions (e.g. potentially REP MOVS, or other instruction sets like SSE).

According to the linked Intel INTEL Advisory:
"When the mitigation is enabled, there is additional latency before results of the gather load can be consumed. Although the performance impact to most workloads is minimal, specific workloads may show performance impacts of up to 50%."

See above on how to disable the mitigation if you operate on a trusted system.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000021170
  • Creation Date: 14-Aug-2023
  • Modified Date:07-Sep-2023

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.