Gather Data Sampling vulnerability (GDS) - CVE-2022-40982

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux
  • Selected Intel CPUs

Issue

Gather Data Sampling (GDS) (also known as “Downfall”) is a transient execution side-channel vulnerability affecting certain Intel CPUs. It may allow an attacker to use a data sampling attack, similar to Microarchitectural Data Sampling (MDS), to retrieve stale data from previously used AVX2 or AVX-512 vector registers. In the worst case scenario, such an attack can be used to extract cryptographic keys.

Resolution

The vulnerability can be mitigated by installing the updated CPU microcode - use the package microcode_ctl provided by Red Hat, Release version 20230808 or more recent.

Once the microcode has been installed, the mitigation is enabled by default on affected CPUs, irrespective of the installed kernel version.

In addition to updating the microcode, it is also recommended to update the kernel, which adds vulnerability and mitigation status reporting. It also adds the ability to disable the mitigation.

Root Cause

Gather is a feature provided by Intel Advanced Vector Extensions 2 (Intel AVX2) and Intel Advanced Vector Extensions 512 (Intel AVX-512), which has a collection of single-instruction, multiple data (SIMD) instructions that read non-contiguous data from memory using vector-index memory addressing. It's important to note that Downfall does not impact AVX* instructions in general. It only impacts the vgather* instructions, which are a tiny subset of the AVX* instructions.

When a gather instruction performs loads from memory, in some situations, stale data from previous usage of vector registers may get transiently forwarded to dependent instructions due to CPU hardware optimization. This issue allows a malicious attacker to infer stale data from previously used vector registers.

The scope of stale data exposure is limited to the same physical processor core. An attacker with local code execution permissions may observe stale data on a sampling basis (similar to Microarchitectural Data Sampling) but cannot directly control or specify the source of the stale data.

Data processed by instructions that use AVX instructions or that use internal vector registers implicitly (for example, REP MOVS instructions) may be vulnerable to subsequent GDS attacks.

Performance Impact

The performance impact of the microcode mitigation is limited to applications that use the gather instructions provided by Intel Advanced Vector Extensions (AVX2 and AVX-512) and the CLWB instruction. Actual performance impact will depend on how heavily an application uses those instructions. Red Hat’s internal performance testing of a worst-case microbenchmark showed a significant slowdown. However, more realistic applications that utilize vector gathering showed only low single-digit percentage slowdowns.

If the user decides to disable the mitigation after doing a thorough risk analysis (for example the system isn’t multi-tenant and doesn’t execute untrusted code), the user can disable the mitigation. After applying the microcode and kernel updates, the user can disable the mitigation by adding gather_data_sampling=off to the kernel command line.
Alternatively, to disable all CPU speculative execution mitigations, including GDS, use mitigations=off.

Note that the CLWB performance loss is permanent on Skylake architectures - even disabling the mitigation will not recoup the original performance.

For more information about this issue, please consult the following Intel material:
- Gather Data Sampling Technical Paper
- Intel Security Advisory INTEL-SA-00828

Diagnostic Steps

After applying the microcode and kernel updates, the mitigation status can be checked by running one of the following commands:

# dmesg | grep "GDS: "
[    0.162571] GDS: Mitigation: Microcode

# cat /sys/devices/system/cpu/vulnerabilities/gather_data_sampling
Mitigation: Microcode

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments