oss-sec mailing list archives

Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors

From: Matthias Schmidt <oss-sec () xosc org>
Date: Tue, 25 Jul 2023 19:30:39 +0200

* Eddie Chapman wrote:

alice wrote:

this is a disaster of a security announcement from AMD. nothing is fixed
except for epyc. the only workaround anyone really has is the chicken bit,
thankfully.


Yes, very disappointing. Pure speculation; perhaps they were planning on
disclosing at the end of the year with full set of Microcode ready but
something we don't know (yet) forced them to disclose early. Who knows.


According to the writeup [1] in Google's security repo "AMD unexpectedly
published patches" and was then forced to agree on an earlier disclosure
date.

Mistakes happens to everyone...

[1]
https://github.com/google/security-research/tree/master/pocs/cpus/zenbleed

Current thread:

CVE-2023-20593: A use-after-free in AMD Zen2 Processors Tavis Ormandy (Jul 24)
- Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Marc Deslauriers (Jul 24)
  - Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Jonathan Gray (Jul 25)
    - Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors alice (Jul 25)
    - Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Eddie Chapman (Jul 25)
    - Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Matthias Schmidt (Jul 25)
    - Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Demi Marie Obenour (Jul 25)
    - Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Lucas Rolff (Jul 25)
    - Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Jeffrey Walton (Jul 25)
    - Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors alice (Jul 25)
- Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Solar Designer (Jul 25)