Speculative Code Store Bypass and Floating-Point Value Injection

Bulletin ID: AMD-SB-1003
Potential Impact: Data Leakage
Severity: Medium

Summary

AMD is aware of research from the VUsec group at Vrije Universiteit Amsterdam and believes that these issues are only exploitable in conjunction with software vulnerabilities related to incorrect speculation of specific sequences as described below.  AMD is not currently aware of any instances of such vulnerabilities in commercially available software.

CVE Details

CVE-2021-26313
Potential speculative code store bypass in all supported CPU products, in conjunction with software vulnerabilities relating to speculative execution of overwritten instructions, may cause an incorrect speculation and could result in data leakage.

CVE-2021-26314
Potential floating point value injection in all supported CPU products, in conjunction with software vulnerabilities relating to speculative execution with incorrect floating point results, may cause the use of incorrect data from FPVI and may result in data leakage.

Affected Products

All Currently supported CPU Products in conjunction with software vulnerabilities relating to speculative execution as indicated above.

Mitigation

While overwritten instruction sequences should not be architecturally executed, they may be speculatively executed. AMD recommends that software vendors analyze their code for any potential vulnerabilities relating to speculative execution of overwritten instructions (CVE-2021-26313). AMD recommends that software vendors analyze their code for any potential vulnerabilities relating to speculative execution with incorrect floating point results (CVE-2021-26314).

Potential software vulnerabilities can be mitigated by inserting a LFENCE between the overwriting of the instructions and the execution of the overwritten instructions.¹

For additional information on speculation in AMD processors, see our paper²

Acknowledgement

AMD thanks the following for reporting these issues and engaging in coordinated vulnerability disclosure. 

• Hany Ragab, Enrico Barberis, Herbert Bos, and Cristiano Giuffrida from the VUSec group at VU Amsterdam

References

1. https://developer.amd.com/wp-content/resources/Managing-Speculation-on-AMD-Processors.pdf
2. https://www.amd.com/content/dam/amd/en/documents/resources/bulletin/1924930.pdf

Revisions

DISCLAIMER

The information contained herein is for informational purposes only and is subject to change without notice. While every precaution has been taken in the preparation of this document, it may contain technical inaccuracies, omissions and typographical errors, and AMD is under no obligation to update or otherwise correct this information. Advanced Micro Devices, Inc. makes no representations or warranties with respect to the accuracy or completeness of the contents of this document, and assumes no liability of any kind, including the implied warranties of noninfringement, merchantability or fitness for particular purposes, with respect to the operation or use of AMD hardware, software or other products described herein. Any computer system has risks of security vulnerabilities that cannot be completely prevented or mitigated. No license, including implied or arising by estoppel, to any intellectual property rights is granted by this document. Terms and limitations applicable to the purchase or use of AMD’s products are as set forth in a signed agreement between the parties or in AMD's Standard Terms and Conditions of Sale.

AMD, the AMD Arrow logo, and combinations thereof are trademarks of Advanced Micro Devices, Inc. Other product names used in this publication are for identification purposes only and may be trademarks of their respective companies.

© 2021 Advanced Micro Devices, Inc. All rights reserved.