Back to Security Bulletins

Cross-Thread Return Address Predictions

Bulletin ID: AMD-SB-1045
Potential Impact: Information Disclosure

Summary

AMD internally discovered a potential vulnerability where certain AMD processors may speculatively execute instructions at an incorrect return site after an SMT mode switch that may potentially lead to information disclosure. AMD believes that due to existing mitigations applied to address other speculation-based issues, theoretical avenues for potential exploit of CVE-2022-27672 may be limited only to select virtualization environments where a virtual machine is given special privileges. As of this notice, AMD is not aware of any actual real-world exploits based on this behavior.

CVE Details

CVE-2022-27672

When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure.

Affected Products

Desktop

  • AMD Athlon™ X4 Processor
  • AMD Ryzen™ Threadripper™ PRO Processor
  • 2nd Gen AMD Ryzen™ Threadripper™ Processors
  • 3rd Gen AMD Ryzen™ Threadripper™ Processors
  • 7th Generation AMD A-Series APUs
  • AMD Ryzen™ 2000 Series Desktop Processors
  • AMD Ryzen™ 3000 Series Desktop Processors
  • AMD Ryzen™ 4000 Series Desktop Processors with Radeon™ Graphics

Mobile

  • AMD Ryzen™ 2000 Series Mobile Processor 
  • AMD Athlon™ 3000 Series Mobile Processors with Radeon™ Graphics
  • AMD Ryzen™ 3000 Series Mobile Processors or 2nd Gen AMD Ryzen™ Mobile processors with Radeon™ Graphics
  • AMD Ryzen™ 4000 Series Mobile processors with Radeon™ Graphics
  • AMD Ryzen™ 5000 Series Mobile Processors with Radeon™ Graphics

Chromebook

  • AMD Athlon™ Mobile Processors with Radeon™ Graphics 

Server

  • 1st Gen AMD EPYC™ Processors
  • 2nd Gen AMD EPYC™ Processors

Mitigation

Mitigations may be specific to a respective OS/Hypervisor solution. Not all Hypervisor or OS vendors may be impacted. If applicable, an OS update to address this CVE may be available. AMD recommends that you contact your OS partners for details.

AMD recommends OS/Hypervisor developers review code paths that can result in a processor entering an idle state (e.g., HLT/MWAIT/IO C-state).  If required, AMD recommends developers to consider the following mitigations:

  1. Fill the RAP prior to entering the idle state

    2. Before entering the idle processor state, software can execute a sequence of 32 CALL instructions with non-0 displacement to fill the RAP with ‘safe’ speculation targets. 

  2. Prevent unprivileged transitions to idle state

HVs can prevent guest VMs from directly entering processor idle states by intercepting the HLT, MWAIT, and IN instructions.  See APM Volume 2 [1] appendix B for details.

Refer to Glossary for explanation of terms

Acknowledgement

The published issue was found internally while investigating a report from security researcher Pawel Wieczorkiewicz.

AMD would like to thank Pawel for the report and engaging in coordinated vulnerability disclosure.

References  

 [1] APM Volume 2 (https://www.amd.com/system/files/TechDocs/24593.pdf)

Revisions

Revision Date  

Description  
02/14/2023 Initial publication