CVE-2024-21823

Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local access.

Weakness

The hardware logic for error handling and security checks can incorrectly forward data before the security check is complete.

Affected Software

Name	Vendor	Start Version	End Version
Linux-allwinner-5.19	Ubuntu	jammy	*
Linux-allwinner-5.19	Ubuntu	upstream	*
Linux-aws-5.0	Ubuntu	esm-infra/bionic	*
Linux-aws-5.0	Ubuntu	upstream	*
Linux-aws-5.11	Ubuntu	focal	*
Linux-aws-5.11	Ubuntu	upstream	*
Linux-aws-5.13	Ubuntu	focal	*
Linux-aws-5.13	Ubuntu	upstream	*
Linux-aws-5.19	Ubuntu	jammy	*
Linux-aws-5.19	Ubuntu	upstream	*
Linux-aws-5.3	Ubuntu	esm-infra/bionic	*
Linux-aws-5.3	Ubuntu	upstream	*
Linux-aws-5.8	Ubuntu	focal	*
Linux-aws-5.8	Ubuntu	upstream	*
Linux-aws-6.2	Ubuntu	jammy	*
Linux-aws-6.2	Ubuntu	upstream	*
Linux-azure	Ubuntu	esm-infra/bionic	*
Linux-azure-5.11	Ubuntu	focal	*
Linux-azure-5.11	Ubuntu	upstream	*
Linux-azure-5.13	Ubuntu	focal	*
Linux-azure-5.13	Ubuntu	upstream	*
Linux-azure-5.19	Ubuntu	jammy	*
Linux-azure-5.19	Ubuntu	upstream	*
Linux-azure-5.3	Ubuntu	esm-infra/bionic	*
Linux-azure-5.3	Ubuntu	upstream	*
Linux-azure-5.8	Ubuntu	focal	*
Linux-azure-5.8	Ubuntu	upstream	*
Linux-azure-6.2	Ubuntu	jammy	*
Linux-azure-6.2	Ubuntu	upstream	*
Linux-azure-edge	Ubuntu	esm-infra/bionic	*
Linux-azure-edge	Ubuntu	upstream	*
Linux-azure-fde	Ubuntu	focal	*
Linux-azure-fde-5.19	Ubuntu	jammy	*
Linux-azure-fde-5.19	Ubuntu	upstream	*
Linux-azure-fde-6.2	Ubuntu	jammy	*
Linux-azure-fde-6.2	Ubuntu	upstream	*
Linux-gcp	Ubuntu	esm-infra/bionic	*
Linux-gcp-5.11	Ubuntu	focal	*
Linux-gcp-5.11	Ubuntu	upstream	*
Linux-gcp-5.13	Ubuntu	focal	*
Linux-gcp-5.13	Ubuntu	upstream	*
Linux-gcp-5.19	Ubuntu	jammy	*
Linux-gcp-5.19	Ubuntu	upstream	*
Linux-gcp-5.3	Ubuntu	esm-infra/bionic	*
Linux-gcp-5.3	Ubuntu	upstream	*
Linux-gcp-5.8	Ubuntu	focal	*
Linux-gcp-5.8	Ubuntu	upstream	*
Linux-gcp-6.2	Ubuntu	jammy	*
Linux-gcp-6.2	Ubuntu	upstream	*
Linux-gke	Ubuntu	focal	*
Linux-gke-4.15	Ubuntu	esm-infra/bionic	*
Linux-gke-4.15	Ubuntu	upstream	*
Linux-gke-5.15	Ubuntu	focal	*
Linux-gke-5.15	Ubuntu	upstream	*
Linux-gke-5.4	Ubuntu	esm-infra/bionic	*
Linux-gke-5.4	Ubuntu	upstream	*
Linux-gkeop-5.4	Ubuntu	esm-infra/bionic	*
Linux-gkeop-5.4	Ubuntu	upstream	*
Linux-hwe	Ubuntu	esm-infra/bionic	*
Linux-hwe-5.11	Ubuntu	focal	*
Linux-hwe-5.11	Ubuntu	upstream	*
Linux-hwe-5.13	Ubuntu	focal	*
Linux-hwe-5.13	Ubuntu	upstream	*
Linux-hwe-5.19	Ubuntu	jammy	*
Linux-hwe-5.19	Ubuntu	upstream	*
Linux-hwe-5.8	Ubuntu	focal	*
Linux-hwe-5.8	Ubuntu	upstream	*
Linux-hwe-6.2	Ubuntu	jammy	*
Linux-hwe-6.2	Ubuntu	upstream	*
Linux-hwe-edge	Ubuntu	esm-infra/bionic	*
Linux-hwe-edge	Ubuntu	esm-infra/xenial	*
Linux-hwe-edge	Ubuntu	upstream	*
Linux-ibm	Ubuntu	mantic	*
Linux-intel-5.13	Ubuntu	focal	*
Linux-intel-5.13	Ubuntu	upstream	*
Linux-lowlatency-hwe-5.19	Ubuntu	jammy	*
Linux-lowlatency-hwe-5.19	Ubuntu	upstream	*
Linux-lowlatency-hwe-6.2	Ubuntu	jammy	*
Linux-lowlatency-hwe-6.2	Ubuntu	upstream	*
Linux-nvidia-6.2	Ubuntu	jammy	*
Linux-nvidia-6.2	Ubuntu	upstream	*
Linux-oem	Ubuntu	esm-infra/bionic	*
Linux-oem	Ubuntu	upstream	*
Linux-oem-5.10	Ubuntu	focal	*
Linux-oem-5.10	Ubuntu	upstream	*
Linux-oem-5.13	Ubuntu	focal	*
Linux-oem-5.13	Ubuntu	upstream	*
Linux-oem-5.14	Ubuntu	focal	*
Linux-oem-5.14	Ubuntu	upstream	*
Linux-oem-5.17	Ubuntu	jammy	*
Linux-oem-5.17	Ubuntu	upstream	*
Linux-oem-5.6	Ubuntu	focal	*
Linux-oem-5.6	Ubuntu	upstream	*
Linux-oem-6.0	Ubuntu	jammy	*
Linux-oem-6.0	Ubuntu	upstream	*
Linux-oem-6.1	Ubuntu	jammy	*
Linux-oem-6.1	Ubuntu	upstream	*
Linux-oracle-5.0	Ubuntu	esm-infra/bionic	*
Linux-oracle-5.0	Ubuntu	upstream	*
Linux-oracle-5.11	Ubuntu	focal	*
Linux-oracle-5.11	Ubuntu	upstream	*
Linux-oracle-5.13	Ubuntu	focal	*
Linux-oracle-5.13	Ubuntu	upstream	*
Linux-oracle-5.3	Ubuntu	esm-infra/bionic	*
Linux-oracle-5.3	Ubuntu	upstream	*
Linux-oracle-5.8	Ubuntu	focal	*
Linux-oracle-5.8	Ubuntu	upstream	*
Linux-raspi2	Ubuntu	focal	*
Linux-raspi2	Ubuntu	upstream	*
Linux-riscv	Ubuntu	focal	*
Linux-riscv	Ubuntu	jammy	*
Linux-riscv-5.11	Ubuntu	focal	*
Linux-riscv-5.11	Ubuntu	upstream	*
Linux-riscv-5.19	Ubuntu	jammy	*
Linux-riscv-5.19	Ubuntu	upstream	*
Linux-riscv-5.8	Ubuntu	focal	*
Linux-riscv-5.8	Ubuntu	upstream	*
Linux-starfive-5.19	Ubuntu	jammy	*
Linux-starfive-5.19	Ubuntu	upstream	*
Linux-starfive-6.2	Ubuntu	jammy	*
Linux-starfive-6.2	Ubuntu	upstream	*

Extended Description

Many high-performance on-chip bus protocols and processor data-paths employ separate channels for control and data to increase parallelism and maximize throughput. Bugs in the hardware logic that handle errors and security checks can make it possible for data to be forwarded before the completion of the security checks. If the data can propagate to a location in the hardware observable to an attacker, loss of data confidentiality can occur. ‘Meltdown’ is a concrete example of how de-synchronization between data and permissions checking logic can violate confidentiality requirements. Data loaded from a page marked as privileged was returned to the cpu regardless of current privilege level for performance reasons. The assumption was that the cpu could later remove all traces of this data during the handling of the illegal memory access exception, but this assumption was proven false as traces of the secret data were not removed from the microarchitectural state.

Potential Mitigations

Thoroughly verify the data routing logic to ensure that any error handling or security checks effectively block illegal dataflows.

References

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01084.html

NVD	https://nvd.nist.gov/vuln/detail/CVE-2024-21823
CWE	https://cwe.mitre.org/data/definitions/1264.html

Hardware Logic with Insecure De-Synchronization between Control and Data Channels

Weakness

Affected Software

Extended Description

Potential Mitigations

Related Attack Patterns

References