CPU AMD Vulnerability Leads to Microarchitectural Stack Overflow

A group of researchers from the Swiss Higher Technical School of Zurich revealed the new vulnerability (CVE-2023-20569) in the implementation of the AMD microarchitectural structures, which received the code name Inception. Vulnerability allows the local unwilling user to determine the contents of the memory of the processes of other users. When using virtualization systems, vulnerability makes it possible to extract information from other guest systems.

Researchers prepared The working prototype of exploit and the possibility of using it with a local unprivileged user to determine the Root Password stored in the file. /etc/Shadow and loaded in memory when performing authentication in the system. The attack is demonstrated on the fully updated Ubuntu 22.22 core with a 5.19 nucleus on a computer with the AMD Zen 4 family processor. Data leakage during exploit is 39 bytes per second. The contents /etc /Shadow were successfully determined in 6 out of 10 attempts to operate vulnerabilities. For about 40 minutes was spent on each attempt.



Vulnerability allows to cause the overflow of the return stack (RAS, Return Address Stack), microarchitectural structure , which is updated in speculative mode at the stage when the processor only predicts a potential call of Call instructions. Stew RAS has a fixed size and is ring, i.e. Focused and after the last element, switching to the beginning is carried out. The attacker can create conditions when the transitional prediction unit speculatively fulfills a large number of incorrectly predicted call calls, sufficient to fill the RAS stack and rewrite the correctly predicted return points placed at the beginning of the stack.

As a result, the initial elements of the stack can be redundered to the chosen ones selected by the attackers, which will further lead to the use of these replaced values ​​in the speculative execution of the RET instruction in the context of another process (i.e., a purposeful speculative transition to the code block will be performed, not provided for by the logic of the program). After that, the processor will determine that the prediction of branching has not been justified and will roll back the operation to its original state, but the data processed during speculative execution will settled in the cache and microarchitectural buffers. If an erroneously executed block transfers memory, then its speculative execution will lead to settlement in the general cache and data read from memory.

/Reports, release notes, official announcements.