A vulnerability similar to the famous Meltdown was found in AMD Zen+ and Zen 2-based CPUs

Researchers Saidgani Musaev and Christof Fetzer of Dresden University of Technology, working in the field of information security, revealed a new method of unauthorized data exchange between internal AMD processor components. Simply speaking, we're talking about a hardware vulnerability that could lead to data leakage.

The vulnerability, called «Transient Execution of Non-canonical Accesses» affects chips built around the Zen+ and Zen 2 microarchitectures. The problem was discovered last October, after which the researchers notified AMD about their finding. It took AMD several months to fix the problem and develop measures to counter possible negative consequences. The vulnerability is tracked under the identifiers CVE-2020-12965 and AMD-SB-101 (internal manufacturer classification). Briefly, according to AMD, the problem is as follows: «In conjunction with certain software sequences, AMD processors can temporarily perform non-canonical loads and saves using only the lowest 48 bits of the address, which can lead to data leaks In investigating the vulnerability, researchers worked with AMD EPYC 7262 processors based on Zen 2, as well as Ryzen 7 2700X and Ryzen Threadripper 2990WX based on Zen+. The researchers note that while all Intel processors vulnerable to attacks via the Meltdown hardware vulnerability «inherently have the same flaw», AMD processors based on the Zen+ architecture and later versions are not susceptible to Meltdown attacks. However, there was a problem of its own for them. It is also noted that AMD has developed a way to fix the new vulnerability by fixing bugs in the software.

Disabling the vulnerable PSF mechanism in AMD Zen 3 processors almost does not reduce performance

AMD recently reported that the Predictive Store Forwarding (PSF) mechanism in Zen 3 processors is vulnerable to side-channel attacks (like Spectre and Meltdown), which are based on analyzing data deposited in the processor cache during speculative instruction execution. The company told users how they can protect themselves and disable this functionality, but did not comment on how it would affect performance. Phoronix journalists decided to clarify this issue.

(Phoronix).

The new Predictive Store Forwarding (PSF) mechanism in AMD Zen 3 processors has been exposed to a hardware vulnerability of reading data through a third-party channel. In theory, disabling this feature should reduce performance, and that's the effect we've seen with Intel processors during the Spectre and Meltdown vulnerability remediation process. But at the moment AMD refers to the fact that there are no known cases of PSF vulnerability exploitation, so it does not recommend end users to disable the functionality to avoid performance degradation. The PSF mechanism is disabled in Zen 3 processors by setting certain MSR bits. AMD has promised in a white paper to publish Linux patches to easily disable PSF if needed, but there are no publicly available patches yet.

(Phoronix).

Nevertheless, Michael Larabel from Phoronix has built a Linux operating system kernel with PSF disabled and has done dozens of tests with AMD Ryzen 5000 and EPYC 7003 series processors on bare-metal and PSF disabled kernels. According to him, the testing was done on a wide range of workloads, and each test was run automatically several times. As a result, it had to be stated that PSF disabling had a minimal effect on performance. In most cases the difference was within statistical error, although in some workloads it was close to 1 %. For example, Ryzen 7 5800X processor was run through a set of more than 100 tests. That said, averaging all the results suggests less than 1.5 % performance loss when the potentially dangerous Zen 3 feature is disabled.

(Phoronix).

In short, while AMD generally does not recommend its customers to disable PSF, if someone decides to take this step in the name of improving security, it probably won't result in any significant performance difference. Unlike other patches designed to combat attacks related to speculative command execution, this time everything was handled with little blood.