oss-sec mailing list archives

Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors

From: "Eddie Chapman" <eddie () ehuk net>
Date: Tue, 25 Jul 2023 18:12:44 +0100

alice wrote:

this is a disaster of a security announcement from AMD. nothing is fixed
except for epyc. the only workaround anyone really has is the chicken bit,
thankfully.


Yes, very disappointing. Pure speculation; perhaps they were planning on
disclosing at the end of the year with full set of Microcode ready but
something we don't know (yet) forced them to disclose early. Who knows.

Very unscientific and limited test but I just compiled qemu 7.2.4 on a
gentoo workstation with a Ryzen 7 3700X (Zen 2) running linux kernel
5.15.119. Took 5 min 37s. Rebooted into 5.15.122 with the chicken bit fix
(confirmed in dmesg appears to be applied), compiled qemu again, this time
it took 5 min 25s. So my initial impression is the chicken bit fix is fine
in general but remains to be seen if certain workloads significantly
impacted I guess.

Current thread:

CVE-2023-20593: A use-after-free in AMD Zen2 Processors Tavis Ormandy (Jul 24)
- Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Marc Deslauriers (Jul 24)
  - Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Jonathan Gray (Jul 25)
    - Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors alice (Jul 25)
    - Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Eddie Chapman (Jul 25)
    - Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Matthias Schmidt (Jul 25)
    - Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Demi Marie Obenour (Jul 25)
    - Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Lucas Rolff (Jul 25)
    - Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Jeffrey Walton (Jul 25)
    - Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors alice (Jul 25)
- Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Solar Designer (Jul 25)