Security Vulnerability: CVE-2022-40982: CPU transient information leakage from GATHER instructions aka "Gather Data Sampling" aka "DOWNFALL"
This document (000021170) is provided subject to the disclaimer at the end of this document.
Environment
For a comprehensive list of affected products please review the SUSE CVE announcement:
https://www.suse.com/security/cve/CVE-2022-40982.html
https://www.suse.com/security/cve/CVE-2022-40982.html
Situation
Security researcher Daniel Moghimi has identified a transient information leakage from GATHER instructions on modern Intel CPUs (Skylake to Tiger Lake generations).
This can be used to leak secret data contained in vector registers, which due to use of these instructions in memory copy operations can basically be all information. This information leak can cross process and privilege boundaries.
This can be used to leak secret data contained in vector registers, which due to use of these instructions in memory copy operations can basically be all information. This information leak can cross process and privilege boundaries.
Resolution
Intel has released CPU Microcode to mitigate these issues. The CPU Microcode is mandatory for mitigation, the mitigation is default enabled.
SUSE will release updated ucode-intel packages, version 20230808 or newer contain the mitigations.
If there is no CPU Microcode available, the "avx" instructions can be hidden from CPUID reporting by the kernel.
Also kernel and XEN changes are being applied, to:
- allow disabling the mitigation
- reporting affectedness of the CPU and state of the mitigation
SUSE will release kernel and XEN updates.
Mitigation reporting:
The mitigation state is reported via sysfs file:
/sys/devices/system/cpu/vulnerabilities/gather_data_sampling
The file can report:
- Not affected
This processor not vulnerable.
- Vulnerable
This processor is vulnerable and the mitigation is disabled.
- Vulnerable: No microcode
This processor is vulnerable and the microcode is missing mitigation.
- Mitigation: Microcode
This processor is vulnerable and the mitigation is in effect.
- Mitigation: Microcode (locked)
This processor is vulnerable and the mitigation is in effect and cannot be
disabled.
- Unknown: Dependent on hypervisor status
Running on a virtual guest processor that is affected but with no way to know if host processor is mitigated or vulnerable.
This can happen if the hypervisor does not expose necessary MSR registers to guests.
Kernel commandline options:
- gather_data_sampling=off
Switch off this specific mitigation (the default is "on").
- mitigations=off
Switch off all CPU transient execution mitigations, including the gather data sampling one.
- clearcpuid=avx
This option hides the AVX instructions from CPUID flags, so existing optimized code will
not use AVX instructions, fallback to other variants and so not expose the vulnerability.
SUSE will release updated ucode-intel packages, version 20230808 or newer contain the mitigations.
If there is no CPU Microcode available, the "avx" instructions can be hidden from CPUID reporting by the kernel.
Also kernel and XEN changes are being applied, to:
- allow disabling the mitigation
- reporting affectedness of the CPU and state of the mitigation
SUSE will release kernel and XEN updates.
Mitigation reporting:
The mitigation state is reported via sysfs file:
/sys/devices/system/cpu/vulnerabilities/gather_data_sampling
The file can report:
- Not affected
This processor not vulnerable.
- Vulnerable
This processor is vulnerable and the mitigation is disabled.
- Vulnerable: No microcode
This processor is vulnerable and the microcode is missing mitigation.
- Mitigation: Microcode
This processor is vulnerable and the mitigation is in effect.
- Mitigation: Microcode (locked)
This processor is vulnerable and the mitigation is in effect and cannot be
disabled.
- Unknown: Dependent on hypervisor status
Running on a virtual guest processor that is affected but with no way to know if host processor is mitigated or vulnerable.
This can happen if the hypervisor does not expose necessary MSR registers to guests.
Kernel commandline options:
- gather_data_sampling=off
Switch off this specific mitigation (the default is "on").
- mitigations=off
Switch off all CPU transient execution mitigations, including the gather data sampling one.
- clearcpuid=avx
This option hides the AVX instructions from CPUID flags, so existing optimized code will
not use AVX instructions, fallback to other variants and so not expose the vulnerability.
Status
Security Alert
Additional Information
https://www.suse.com/security/cve/CVE-2022-40982.html
https://downfall.page/
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00828.html
Performance Considerations
The mitigation impacts performance of the GATHER parts of the AVX2 and AVX512 instructions, and potentially operations that are translated within the CPU to use these vector instructions (e.g. potentially REP MOVS, or other instruction sets like SSE).
According to the linked Intel INTEL Advisory:
"When the mitigation is enabled, there is additional latency before results of the gather load can be consumed. Although the performance impact to most workloads is minimal, specific workloads may show performance impacts of up to 50%."
See above on how to disable the mitigation if you operate on a trusted system.
https://downfall.page/
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00828.html
Performance Considerations
The mitigation impacts performance of the GATHER parts of the AVX2 and AVX512 instructions, and potentially operations that are translated within the CPU to use these vector instructions (e.g. potentially REP MOVS, or other instruction sets like SSE).
According to the linked Intel INTEL Advisory:
"When the mitigation is enabled, there is additional latency before results of the gather load can be consumed. Although the performance impact to most workloads is minimal, specific workloads may show performance impacts of up to 50%."
See above on how to disable the mitigation if you operate on a trusted system.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021170
- Creation Date: 07-Sep-2023
- Modified Date:07-Sep-2023
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
