GDS_Downfall

Gather Data Sampling (GDS) Downfall (CVE-2022-40982)

Daniel Moghimi discovered that some Intel® Processors were vulnerable to information exposure through microarchitectural state after transient execution in certain vector execution units.

Gather is a feature provided by Intel® Advanced Vector Extensions 2 (Intel® AVX2) and Intel® Advanced Vector Extensions 512 (Intel® AVX-512) . It comprises a collection of single-instruction, multiple data (SIMD) instructions which fetch non-contiguous data elements from memory using vector-index memory addressing.

Gather Data Sampling (GDS) is a transient execution side channel vulnerability affecting certain Intel processors. In some situations when a gather instruction performs certain loads from memory, it may be possible for a malicious attacker to use this type of instruction to infer stale data from previously used vector registers1. These entries may correspond to registers previously used by the same thread, or by the sibling thread2 on the same processor core.

When the microcode mitigation for Gather Data Sampling (GDS) is applied, the majority of server and client application-based benchmarks are expected to show minimal performance impact, since these benchmarks rarely use gather instructions. However, some datacenter and high-performance computing applications, such as machine learning (ML) libraries, numerical libraries, graphic design and rendering software, and certain scientific applications, may see significant performance impact from the GDS microcode mitigation. The performance or resource utilization impact of the GDS mitigation on applications varies primarily depending on the frequency of gather instructions in the application code. Workloads which do not heavily rely on gather instructions are not expected to be impacted by the presence of the GDS microcode mitigation. However, a performance impact will be observed if the gather instructions are in the hot (frequently executed) path.

The appropriate mitigation for this vulnerability is in Intel microcode and is the recommended solution. Kernel updates are also provided, but they are mostly about reporting the mitigation status and turning off the mitigation for performance reasons. There is one other aspect to the kernel changes, which is forcing disabling AVX (vector extensions), which might break some userspace.

If the performance is heavily impacted by this mitigation, the threat model and the likelihood that this vulnerability would allow local attackers to extract confidential information (including security keys) can be very carefully considered. If the decision is to to turn off this mitigation, the following kernel boot command line can be added:

gather_data_sampling=off

The affected list of Intel Processors can be found at: https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html

References

Updates

Intel microcode updates are available in upstream at GitHub - intel/Intel-Linux-Processor-Microcode-Data-Files in microcode-20230808 release. Ubuntu 16.04 LTS, 18.04 LTS, 20.04, 22.04 LTS, 23.04 were affected. To address the issue, ensure that intel-microcode version 3.20230808 is installed. These updates were announced in USN-6286-1.

Kernel updates are rolling out and Ubuntu users are recommended to update to the latest kernel. The majority of users should ensure that the following kernel packages are installed:

Ubuntu Release Base Kernel Enablement Kernel
23.04 linux-image-6.2.0-31-generic 6.2.0-31.31 N/A
22.04 linux-image-5.15.0-82-generic 5.15.0-82.91 linux-image-6.2.0-31-generic 6.2.0-31.31~22.04.1
20.04 LTS linux-image-5.4.0-159-generic 5.4.0-159.176 linux-image-5.15.0-82-generic 5.15.0-82.91~20.04.1
18.04 LTS linux-image-4.15.0-218-generic 4.15.0-218.229 (Available with Ubuntu Pro) linux-image-5.4.0-159-generic 5.4.0-159.176~18.04.1 (Available with Ubuntu Pro)
16.04 LTS linux-image-4.4.0-245-generic 4.4.0-245.279 (Available with Ubuntu Pro) linux-image-4.15.0-218-generic 4.15.0-218.229~16.04.1 (Available with Ubuntu Pro)

These updates were announced in USN-6315-1, USN-6317-1, USN-6318-1, USN-6388-1, USN-6396-1

Timeline

  • 2023 Aug 08: Public disclosure
  • 2023 Aug 14: Updated Ubuntu Intel microcode available
  • 2023 Aug 29: Updated Ubuntu kernels available

Public Cloud Image updates

  • Amazon AWS: <IN PROGRESS>
  • Windows Azure: <IN PROGRESS>
  • Google Compute Engine: <IN PROGRESS>
  • Ubuntu Core Images: <IN PROGRESS>

Cloud Images dailies will start appearing within 4 hours of the USN announcement. At the direction of the security team, the Cloud Image Team will start manually releasing new images to the public cloud.