A vulnerability in AMD processors has been discovered, which can lead to data leakage during operations on the same CPU core when encountering a #DE (Divide Error) caused by division by zero. This issue only affects AMD Zen1 processors, specifically AMD Epyc 7001, AMD Athlon 3000, AMD Ryzen 3000 with GPU Radeon, AMD Athlon Pro 3000 with GPU Radeon Vega, and AMD Ryzen Pro 3000 with GPU Radeon Vega. The vulnerability is detailed in CVE-2023-20588.
The vulnerability stems from the fact that when a #DE exception occurs due to division by zero, the processor speculatively redirects the result of the previous division operation. This is because there is only one divider in the CPU with microarchitecture in the pipeline that handles operations in various threads. On vulnerable systems, an attacker can exploit this to determine the result of the previous division operation performed on the same CPU core in other contexts, such as in another process or outside the virtual machine.
In practical terms, this vulnerability can be used to establish an undisclosed data transmission channel between processes, sandboxed applications, or virtual machines. It bypasses systemic access control mechanisms and does not require system calls. Additionally, the vulnerability allows an attacker to obtain information about previous actual or speculative execution of the DIV instruction from user space. This can be particularly concerning for operations involving sensitive data at higher privilege levels, such as cryptographic operations.
Patches have already been developed to address this vulnerability in the Linux kernel
and the Xen hypervisor
[source]. The issue is resolved by re-recording the division buffer during context switching. However, the fix is only effective when symmetric multi-threading (SMT) is disabled.