Discussion:
CVE-2023-20593 - firmware update for AMD Zen2, not my chip
(too old to reply)
Mike Small
2023-07-25 01:12:14 UTC
Permalink
So you may have seen this security update for CVE-2023-20593. If you
don't have that chip or AMD at all do you skip it? Any good reason to
take it?

I'm inclined not to. Still using 14.2 as my "will definitely still play
DVDs well on this 12 year old laptop" item in the boot menu so am
inclined to go minimal on the updates, particularly to the kernel or
firmware. But I suppose this wouldn't even be loaded.
Henrik Carlqvist
2023-07-25 10:42:26 UTC
Permalink
Post by Mike Small
So you may have seen this security update for CVE-2023-20593. If you
don't have that chip or AMD at all do you skip it? Any good reason to
take it?
Usually, I install all security patches routinely after some basic
testing that they do not break anything. However, there are some patches
that I do not install:

1) Packages which I have removed, installing a CUPS package would break
by LPRng installation.

2) Updates which I really don't need and maybe earlier have been prone to
break something. An example of such a package is glibc-zoneinfo.

So what about the kernel-firmware package? I will not update any 14.2
system, not only because I don't have any AMD CPU, but mostly because the
kernel-firmware package has become kind of bloated since I initially
installed 14.2. Since a few years back the later kernel-firmware packages
overfills the limited amont of space on my rather small root partitions.

On my Slackware 15.0 systems I have bigger root partitions and plan to
evaluate the update even though I do not have any AMD CPUs now. If I
would get an AMD CPU it would be good to have an up to date system.

Unfortunately the kernel firmware package needs to be evaluated as
upstream providers only provide one such package and during the years
that latest package has turned out to break support for different
hardware with different kernel versions. Maybe they would need to make
the package even more bloated to support all still supported kernel
versions. Maybe they would need to branch off different firmware package
versions for different kernel versions.

I am now on vacation, so I will not be able to evaluate the package for
my 15.0 installations until a few weeks.

regards Henrik
John McCue
2023-07-25 21:48:08 UTC
Permalink
Post by Mike Small
So you may have seen this security update for CVE-2023-20593. If you
don't have that chip or AMD at all do you skip it? Any good reason to
take it?
From what I have read, no need unless you have one of the AMD
CPUs listed here:

https://lock.cmpxchg8b.com/zenbleed.html

But this also means you may not have the latest firmware
for you chip. I believe, eventually another firmware
update will come through and you will get these fixes
anyway :)

<snip>

John
--
[t]csh(1) - "An elegant shell, for a more... civilized age."
- Paraphrasing Star Wars
John McCue
2023-07-25 22:10:46 UTC
Permalink
Post by John McCue
From what I have read, no need unless you have one of the AMD
https://lock.cmpxchg8b.com/zenbleed.html
Wrong link, this is the correct one:

https://www.tomshardware.com/news/zenbleed-bug-allows-data-theft-from-amds-zen-2-processors-patches-released

John
--
[t]csh(1) - "An elegant shell, for a more... civilized age."
- Paraphrasing Star Wars
User
2023-07-26 00:11:43 UTC
Permalink
Post by John McCue
Post by John McCue
From what I have read, no need unless you have one of the AMD
https://lock.cmpxchg8b.com/zenbleed.html
https://www.tomshardware.com/news/zenbleed-bug-allows-data-theft-from-amds-zen-2-processors-patches-released
John
Mon Jul 24 22:07:56 UTC 2023
patches/packages/kernel-firmware-20230724_59fbffa-noarch-1.txz: Upgraded.
AMD microcode updated to fix a use-after-free in AMD Zen2 processors.
From Tavis Ormandy's annoucement of the issue:
"The practical result here is that you can spy on the registers of
other
processes. No system calls or privileges are required.
It works across virtual machines and affects all operating systems.
I have written a poc for this issue that's fast enough to reconstruct
keys and passwords as users log in."
For more information, see:
https://seclists.org/oss-sec/2023/q3/59
https://www.cve.org/CVERecord?id=CVE-2023-20593
(* Security fix *)
Jim Diamond
2023-07-30 18:17:16 UTC
Permalink
Post by User
Post by John McCue
Post by John McCue
From what I have read, no need unless you have one of the AMD
https://lock.cmpxchg8b.com/zenbleed.html
https://www.tomshardware.com/news/zenbleed-bug-allows-data-theft-from-amds-zen-2-processors-patches-released
John
Mon Jul 24 22:07:56 UTC 2023
patches/packages/kernel-firmware-20230724_59fbffa-noarch-1.txz: Upgraded.
AMD microcode updated to fix a use-after-free in AMD Zen2 processors.
"The practical result here is that you can spy on the registers of
other
processes. No system calls or privileges are required.
It works across virtual machines and affects all operating systems.
I have written a poc for this issue that's fast enough to reconstruct
keys and passwords as users log in."
https://seclists.org/oss-sec/2023/q3/59
https://www.cve.org/CVERecord?id=CVE-2023-20593
(* Security fix *)
For those concerned about this...

The firmware update doesn't help most Zen2 processors. On the other hand,
the 6.4.7 kernel (and maybe some lower-numbered ones) has a patch which
mitigates this bug, at a possible performance cost.

I have this kernel running on a Ryzen 7 4700U processor (S64-15.0), and
running the program which demonstrates the problem under this kernel
indicates the kernel work-around seems to work with no other
configuration.

Running
# dmesg | grep -i zen
(as root/sudo/su...) outputs (for me)
[ 0.142704] Zenbleed: please update your microcode for the most optimal fix
(as well as some other stuff).

I haven't noticed any performance degradation, but nor have I run any
performance benchmarks.

Cheers.
Jim

Loading...