Security vulnerabilities: Side-channel information leaks / denial of service attack against MMIO registers

This document (000020669) is provided subject to the disclaimer at the end of this document.

Environment

For a comprehensive list of affected products please review the mentioned SUSE CVE announcements.

Situation

Security researchers and Intel engineers have identified several transient execution side-channel information leak attacks and one denial of service attack when accessing MMIO registers.

Multiple flavour of these issues have been identified:

- Device Register Partial Write (DRPW) / CVE-2022-21166:

  Some endpoint MMIO registers incorrectly handle writes that are smaller than the register size. Instead of
  aborting the write or only copying the correct subset of bytes (for example, 2 bytes for a 2-byte write), more bytes
  than specified by the write transaction may be written to the register. On some processors, this may expose stale
  data from the fill buffers of the core that created the write transaction.

  This issue is mitigated using CPU Microcode and Operating System (kernel) code changes.

- Update to Special Register Buffer Data Sampling / CVE-2022-21127:

  The RDSAND, RDSEED, SGX EGET KEY instructions use the low bandwidth MMIO interface, and their content 
  could be sampled using side-channel information leak methods.

  This issue is being mitigated with CPU Microcode updates.

- Shared Buffers Data Sampling (SBDS) / CVE-2022-21125:

  After propagators may have moved data around the uncore and copied stale data into client core fill buffers,
  processors affected by MFBDS can leak data from the fill buffers.

  This issue is mitigated using CPU Microcode and Operating System (kernel) code changes.

- Shared Buffers Data Read (SBDR) / CVE-2022-21123:

  It is similar to Shared Buffer Data Sampling (SBDS) except that the data is directly read into the architectural
  software-visible state.

  This issue is mitigated using CPU Microcode and Operating System (kernel) code changes.

- Undefined MMIO Hang / CVE-2022-21180:

  While not directly related to side channel information leaks, overly long MMIO reads to short MMIO registers could
  lead to machine hangs, causing a denial of service.

  This will be fixed by filtering out too long MMIO reads in kernel / hypervisor software.

Resolution

- an updated Intel CPU Microcode was already published in the Intel IPU 
  2022.1 release, released by SUSE in "ucode-intel" version 20220510 packages.

- SUSE will release kernel updates to mitigate the leaks.

A new kernel boot commandline option will be introduced, called "mmio_stale_data".
 
Configuration:

- mmio_stale_data=off

  Mitigation is disabled.

- mmio_stale_data=full

  Mitigation is enabled, but SMT is still enabled so information might leak on the same CPU core.

- mmio_stale_data=full,nosmt

  Mitigation is enabled, and SMT is disabled so the mitigation is complete.

Note that this is option is also covered by using the generic "mitigations" option.
 

Status

Security Alert

Additional Information

Reporting:

A new sysfs file /sys/devices/system/cpu/vulnerabilities/mmio_stale_data is created, reporting mitigation status.

- Vulnerable

  System is vulnerable, no mitigation enabled.

- Vulnerable: Clear CPU buffers attempted, no microcode

  The system needs a CPU Microcode update. Check out ucode-intel 20220510 or newer. However if it is an
  older CPU, Intel might no longer deliver CPU Microcode updates.

- Mitigation: Clear CPU buffers; SMT Host state unknown

  The mitigation with clearing CPU buffer is enabled, but the hyper threading mitigation status is unknown.

- Mitigation: Clear CPU buffers; SMT vulnerable

  The mitigation with clearing CPU buffer is enabled, but hyper threading is active, so on the same CPU core
  information leaks can still happen.

- Mitigation: Clear CPU buffers; SMT disabled

  The mitigation with clearing CPU buffer is enabled, and hyper threading is disabled, so the issue is fully mitigated.

References:

- https://www.suse.com/security/cve/CVE-2022-21166
- https://www.suse.com/security/cve/CVE-2022-21127
- https://www.suse.com/security/cve/CVE-2022-21123
- https://www.suse.com/security/cve/CVE-2022-21125
- https://www.suse.com/security/cve/CVE-2022-21180
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/undefined-mmio-hang.html
​​​​​​​- https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html ​​​​​​​

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020669
  • Creation Date: 15-Jun-2022
  • Modified Date:15-Jun-2022
    • SUSE Linux Enterprise Server
    • SUSE Linux Enterprise Server for SAP Applications
    • SUSE Linux Enterprise Micro
    • SUSE Linux Enterprise HPC

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center