Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors

[Jeffrey Walton <noloader () gmail com>]

On Tue, Jul 25, 2023 at 2:14 PM Demi Marie Obenour
<demi () invisiblethingslab com> wrote:
> On Tue, Jul 25, 2023 at 06:12:44PM +0100, Eddie Chapman wrote:
> > alice wrote:
> > > this is a disaster of a security announcement from AMD. nothing is fixed
> > > except for epyc. the only workaround anyone really has is the chicken bit,
> > > thankfully.
> >
> > Yes, very disappointing. Pure speculation; perhaps they were planning on
> > disclosing at the end of the year with full set of Microcode ready but
> > something we don't know (yet) forced them to disclose early. Who knows.
>
> Does AMD make OS-loadable μcode patches available for client platforms,
> or must all μcode loading on clients be done by the firmware?  If the
> latter, then it will take a very long time for clients to get patched,
> even if AMD released the updates promptly.  Also, server platforms can
> usually reflash the firmware via the BMC, but client platforms do not
> have this option.

Related, Ubuntu released an updated amd64-microcode around (or before)
1:45 PM EST today. My Ubuntu machines have already been patched.

I was kind of surprised to see how quickly it landed.

Jeff