32528 – microcode new security issue CVE-2023-23583

Bug 32528 - microcode new security issue CVE-2023-23583

Summary: microcode new security issue CVE-2023-23583

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	https://lwn.net/Articles/951472/ http...
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-11-15 16:27 CET by Nicolas Salguero
Modified:	2024-02-09 02:35 CET (History)
CC List:	9 users (show)

See Also:
Source RPM:	microcode-0.20230808-2.mga9.nonfree.src.rpm
CVE:	CVE-2023-23583
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2023-11-15 16:27:20 CET

SUSE has issued an advisory on November 14:
https://lwn.net/Articles/951472/

The issues are fixed upstream in 20231114:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00950.html

Nicolas Salguero 2023-11-15 16:28:00 CET

Source RPM: (none) => microcode-0.20230808-2.mga9.nonfree.src.rpm
CC: (none) => nicolas.salguero
Status comment: (none) => Fixed upstream in 20231114

Comment 1 Lewis Smith 2023-11-15 20:37:30 CET

In the absence of tmb, 'kernel' seems the best place to assign this.

Assignee: bugsquad => kernel

Comment 2 Nicolas Salguero 2024-01-30 12:30:58 CET

Suggested advisory:
========================

The updated package contains microcode updates for Intel and AMD CPUs, including a fix for a security vulnerability:

Sequence of processor instructions leads to unexpected behavior for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege and/or information disclosure and/or denial of service via local access. (CVE-2023-23583)

References:
https://lwn.net/Articles/951472/
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00950.html
========================

Updated package in nonfree/updates_testing:
========================
microcode-0.20231114-1.mga9.nonfree

from SRPM:
microcode-0.20231114-1.mga9.nonfree.src.rpm

Status: NEW => ASSIGNED
Assignee: kernel => qa-bugs
CVE: (none) => CVE-2023-23583
Version: Cauldron => 9
Status comment: Fixed upstream in 20231114 => (none)

Marja Van Waes 2024-01-30 21:13:25 CET

URL: (none) => https://lwn.net/Articles/951472/ https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00950.html
CC: (none) => marja11

Marja Van Waes 2024-01-30 21:16:23 CET

Keywords: (none) => advisory

PC LX 2024-01-30 23:43:06 CET

CC: (none) => mageia

Comment 3 Morgan Leijström 2024-01-31 10:29:07 CET

mga9-64 OK here

After update of perl and installing and running a 6.6.14 kernel

$ sudo journalctl -ab | grep microcode
jan 31 09:31:33 svarten.tribun kernel: microcode: updated early: 0x3 -> 0xa, date = 2018-05-08
jan 31 09:31:33 svarten.tribun kernel: MDS: Vulnerable: Clear CPU buffers attempted, no microcode
jan 31 09:31:33 svarten.tribun kernel: microcode: Microcode Update Driver: v2.2.

Same when checking earlier boots by i.e adding parameter "-b-10" to journalctl. 

"date = 2018-05-08" I take there is no newer microcode for this old CPU.

$ inxi -C
CPU:
  Info: dual core model: Intel Core i7 870 bits: 64 type: MT MCP cache:
    L2: 512 KiB
  Speed (MHz): avg: 3481 min/max: 1200/2934 cores: 1: 3481 2: 3481 3: 3481
    4: 3481

CC: (none) => fri

Comment 4 Morgan Leijström 2024-01-31 10:30:39 CET

Forgot to include in comment:
$ rpm -qa | grep microcode
microcode_ctl-2.1-11.mga9
microcode-0.20231114-1.mga9.nonfree

Comment 5 Len Lawrence 2024-02-02 02:11:43 CET

Kernel: 6.6.14-desktop-1.mga9 arch: x86_64
Mobo: Intel model: NUC12WSBi7
12-core (4-mt/8-st) 12th Gen Intel Core i7-1260P

Updated and rebooted.  virtualbox-driver built and installed during bootup.

$ sudo journalctl -xb | grep microcode
Feb 02 00:42:55 yildun kernel: microcode: Microcode Update Driver: v2.2.
....
microcode-0.20231114-1.mga9.nonfree.noarch
Feb 02 00:50:07 yildun /usr/libexec/gdm-x-session[35591]: //data/localrepo/x86_64/microcode-0.20231114-1.mga9.nonfree.noarch.rpm
Feb 02 00:50:08 yildun [RPM][35591]: erase microcode-0.20230808-2.mga9.nonfree.noarch: success
Feb 02 00:51:02 yildun [RPM][35591]: erase microcode-0.20230808-2.mga9.nonfree.noarch: success
Feb 02 00:51:04 yildun [RPM][35591]: install microcode-0.20231114-1.mga9.nonfree.noarch: success

The system seems to be running fine so far and virtualbox still works.

CC: (none) => tarazed25

Comment 6 Len Lawrence 2024-02-02 18:43:56 CET

8-core AMD Ryzen 7 5700U with Radeon Graphics
$ rpm -q microcode
microcode-0.20231114-1.mga9.nonfree

Reboot.
kernel 6.5.13-desktop-6.mga9
$ sudo journalctl -xb | grep microcode
Feb 02 13:12:35 rutilicus kernel: Zenbleed: please update your microcode for the most optimal fix
Feb 02 13:12:35 rutilicus kernel: Speculative Return Stack Overflow: IBPB-extending microcode not applied!
Feb 02 13:12:35 rutilicus kernel: microcode: CPU3: patch_level=0x08608102
Feb 02 13:12:35 rutilicus kernel: microcode: CPU1: patch_level=0x08608102

Tried to reboot with the dektop kernel 6.6.14 and failed.
The message was something like "Failed to start systemd service...."

This is a bit serious.

Comment 7 katnatek 2024-02-02 18:57:14 CET

(In reply to Len Lawrence from comment #6)
> 8-core AMD Ryzen 7 5700U with Radeon Graphics
> $ rpm -q microcode
> microcode-0.20231114-1.mga9.nonfree
> 
> Reboot.
> kernel 6.5.13-desktop-6.mga9
> $ sudo journalctl -xb | grep microcode
> Feb 02 13:12:35 rutilicus kernel: Zenbleed: please update your microcode for
> the most optimal fix
> Feb 02 13:12:35 rutilicus kernel: Speculative Return Stack Overflow:
> IBPB-extending microcode not applied!
> Feb 02 13:12:35 rutilicus kernel: microcode: CPU3: patch_level=0x08608102
> Feb 02 13:12:35 rutilicus kernel: microcode: CPU1: patch_level=0x08608102
> 
> Tried to reboot with the dektop kernel 6.6.14 and failed.
> The message was something like "Failed to start systemd service...."
> 
> This is a bit serious.

Perhaps you get https://bugs.mageia.org/show_bug.cgi?id=32791? did you try with new dracut also?

https://bugs.mageia.org/show_bug.cgi?id=32791#c2

Comment 8 Thomas Andrews 2024-02-02 19:05:13 CET

Kernel: 6.6.14-desktop-1.mga9 arch: x86_64
Mobo: Asus Prime Q270M-C
i5-7500, nvidia Quadro K620.

After installing dracut from Bug 32791 but before updating the microcode, my journal indicated that my system was vulnerable and the older microcode had not been loaded. After updating the microcode rpm, I get this:

# journalctl -b | grep microcode
Feb 02 12:36:31 localhost kernel: microcode: updated early: 0x84 -> 0xf4, date = 2023-02-23
Feb 02 12:36:31 localhost kernel: microcode: Microcode Update Driver: v2.2.

So the microcode has been loaded. System looking good.

Comment 9 Len Lawrence 2024-02-02 19:09:51 CET

In reply to katnatek in comment 7:
Don't know...
$ rpm -q dracut
dracut-057-4.mga9

Anyway, I removed the 6.6.14 kernel and re-installed it and rebooted after 
$ sudo drakboot --boot

That succeeded but the microcode was not accepted, as before.
$ sudo journalctl -xb | grep microcode
Feb 02 18:02:11 rutilicus kernel: Zenbleed: please update your microcode for the most optimal fix
$ sys
System partition is /dev/nvme0n1p9
kernel is Linux 6.4.16-desktop-3.mga9

Comment 10 Len Lawrence 2024-02-02 19:13:06 CET

Oops! Just noticed that the  kernel is old.  Had not used this machine since November and got mixed up over the kernel versions.
Need to look for the later kernel.

Comment 11 Len Lawrence 2024-02-02 19:48:19 CET

Now kernel 6.6.14-desktop-2.mga9 is definitely installed but not the addons.
The microcode still does not "take".
$ sudo journalctl -xb | grep microcode
Feb 02 18:45:11 rutilicus kernel: Zenbleed: please update your microcode for the most optimal fix
Feb 02 18:45:11 rutilicus kernel: microcode: CPU0: patch_level=0x08608102

Comment 12 katnatek 2024-02-02 19:57:13 CET

From https://bugs.mageia.org/show_bug.cgi?id=32791#c3

"Giuseppe Ghibò 2024-01-30 14:21:25 CST

BTW, as further info for improvement we seems we're not including the latest AMD microcode. The command "cat /proc/cpuinfo | grep -m1 microcode" shows we are using version 0xa50000d, while latest version available (at least for some fam19h) seems is 0xa50000f.

There is a thread here https://lkml.org/lkml/2023/2/28/791, which might be useful, that states that latest AMD microcode is available at: 

https://github.com/platomav/CPUMicrocodes"

Comment 13 Morgan Leijström 2024-02-02 22:04:44 CET

Dell Precision M6300: new dracut and microcode OK
(No adverse effect but I think this CPU is too old for microcode)

$ journalctl -xb | grep microcode
jan 30 13:57:11 M6300.tribun kernel: MDS: Vulnerable: Clear CPU buffers attempted, no microcode
jan 30 13:57:11 M6300.tribun kernel: microcode: Microcode Update Driver: v2.2.

$ inxi -C
CPU:
  Info: dual core model: Intel Core2 Duo T7500 bits: 64 type: MCP cache:
    L2: 4 MiB
  Speed (MHz): avg: 999 min/max: 800/2201 cores: 1: 798 2: 1200

Comment 14 Dave Hodgins 2024-02-02 23:44:46 CET Comment hidden (obsolete)

$ rpm -q microcode
microcode-0.20231114-1.mga9.nonfree

$ journalctl -b --no-h|grep micro
Feb 02 17:34:22 kernel: Zenbleed: please update your microcode for the most optimal fix
Feb 02 17:34:22 kernel: microcode: CPU4: patch_level=0x08600104
Feb 02 17:34:22 kernel: microcode: CPU2: patch_level=0x08600104
Feb 02 17:34:22 kernel: microcode: CPU6: patch_level=0x08600104
Feb 02 17:34:22 kernel: microcode: CPU0: patch_level=0x08600104
Feb 02 17:34:22 kernel: microcode: CPU14: patch_level=0x08600104
Feb 02 17:34:22 kernel: microcode: CPU8: patch_level=0x08600104
Feb 02 17:34:22 kernel: microcode: CPU10: patch_level=0x08600104
Feb 02 17:34:22 kernel: microcode: CPU12: patch_level=0x08600104
Feb 02 17:34:22 kernel: microcode: Microcode Update Driver: v2.2.

$ inxi -MB
Machine:
  Type: Laptop System: ASUSTeK product: TUF Gaming FA506IV_TUF506IV v: 1.0
    serial: <superuser required>
  Mobo: ASUSTeK model: FA506IV v: 1.0 serial: <superuser required>
    UEFI: American Megatrends v: FA506IV.309 date: 07/02/2020
Battery:
  ID-1: BAT1 charge: 74.8 Wh (100.0%) condition: 74.8/90.2 Wh (82.9%)
    volts: 5.0 min: 15.9
[dave@x9t ~]$ inxi -MC
Machine:
  Type: Laptop System: ASUSTeK product: TUF Gaming FA506IV_TUF506IV v: 1.0
    serial: <superuser required>
  Mobo: ASUSTeK model: FA506IV v: 1.0 serial: <superuser required>
    UEFI: American Megatrends v: FA506IV.309 date: 07/02/2020
CPU:
  Info: 8-core model: AMD Ryzen 7 4800H with Radeon Graphics bits: 64
    type: MCP cache: L2: 4 MiB
  Speed (MHz): avg: 1660 min/max: 1400/2900 cores: 1: 1400 2: 2900 3: 1989
    4: 1400 5: 1400 6: 1400 7: 1400 8: 1397

CC: (none) => davidwhodgins

Comment 15 Dave Hodgins 2024-02-03 00:38:56 CET

$ rpm -q microcode
microcode-0.20231114-1.mga9.nonfree

$ journalctl -b --no-h|grep micro
Feb 02 17:34:22 kernel: Zenbleed: please update your microcode for the most optimal fix
Feb 02 17:34:22 kernel: microcode: CPU4: patch_level=0x08600104
Feb 02 17:34:22 kernel: microcode: CPU2: patch_level=0x08600104
Feb 02 17:34:22 kernel: microcode: CPU6: patch_level=0x08600104
Feb 02 17:34:22 kernel: microcode: CPU0: patch_level=0x08600104
Feb 02 17:34:22 kernel: microcode: CPU14: patch_level=0x08600104
Feb 02 17:34:22 kernel: microcode: CPU8: patch_level=0x08600104
Feb 02 17:34:22 kernel: microcode: CPU10: patch_level=0x08600104
Feb 02 17:34:22 kernel: microcode: CPU12: patch_level=0x08600104
Feb 02 17:34:22 kernel: microcode: Microcode Update Driver: v2.2.

$ inxi -M -a -C|grep -v 'Not affected'
Machine:
  Type: Laptop System: ASUSTeK product: TUF Gaming FA506IV_TUF506IV v: 1.0
    serial: <superuser required>
  Mobo: ASUSTeK model: FA506IV v: 1.0 serial: <superuser required>
    UEFI: American Megatrends v: FA506IV.309 date: 07/02/2020
CPU:
  Info: model: AMD Ryzen 7 4800H with Radeon Graphics bits: 64 type: MCP
    arch: Zen 2 gen: 3 level: v3 note: check built: 2020-22
    process: TSMC n7 (7nm) family: 0x17 (23) model-id: 0x60 (96) stepping: 1
    microcode: 0x8600104
  Topology: cpus: 1x cores: 8 smt: disabled cache: L1: 512 KiB
    desc: d-8x32 KiB; i-8x32 KiB L2: 4 MiB desc: 8x512 KiB L3: 8 MiB
    desc: 2x4 MiB
  Speed (MHz): avg: 1968 high: 2900 min/max: 1400/2900 boost: enabled
    scaling: driver: acpi-cpufreq governor: schedutil cores: 1: 1400 2: 2900
    3: 1447 4: 2900 5: 1400 6: 1400 7: 1400 8: 2900 bogomips: 46317
  Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm
  Vulnerabilities:
  Type: retbleed mitigation: untrained return thunk; SMT disabled
  Type: spec_rstack_overflow mitigation: Safe RET
  Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via
    prctl
  Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer
    sanitization
  Type: spectre_v2 mitigation: Retpolines, IBPB: conditional, STIBP:

Comment 16 Dave Hodgins 2024-02-03 04:34:49 CET

I've updated the firmware. inxi now shows ...
UEFI: American Megatrends v: FA506IV.320 date: 06/01/2022

Still getting the zenbleed warning ...
Feb 02 19:28:32 kernel: Zenbleed: please update your microcode for the most optimal fix

Comment 17 Thomas Andrews 2024-02-03 14:16:17 CET

MGA9-64 on an HP Pavilion 15. I updated dracut, then this microcode, then to the latest 6.6 series kernel candidate. Rebooted, then used Dave's handy-looking commands:

[root@localhost ~]#  rpm -q microcode
microcode-0.20231114-1.mga9.nonfree
[root@localhost ~]#  journalctl -b --no-h|grep micro
Feb 03 07:56:29 kernel: microcode: microcode updated early to new patch_level=0x06001119
Feb 03 07:56:29 kernel: microcode: CPU1: patch_level=0x06001119
Feb 03 07:56:29 kernel: microcode: CPU0: patch_level=0x06001119
Feb 03 07:56:29 kernel: microcode: CPU2: patch_level=0x06001119
Feb 03 07:56:29 kernel: microcode: CPU3: patch_level=0x06001119
Feb 03 07:56:29 kernel: microcode: CPU0: new patch_level=0x06001119
Feb 03 07:56:29 kernel: microcode: CPU1: new patch_level=0x06001119
Feb 03 07:56:29 kernel: microcode: CPU2: new patch_level=0x06001119
Feb 03 07:56:29 kernel: microcode: CPU3: new patch_level=0x06001119
Feb 03 07:56:29 kernel: microcode: Microcode Update Driver: v2.2.
[root@localhost ~]# inxi -M -a -C|grep -v 'Not affected'
Machine:
  Type: Laptop System: Hewlett-Packard product: HP Pavilion 15 Notebook PC
    v: 0974110002405E00000620180 serial: 5CD4060GGF Chassis: type: 10
    serial: N/A
  Mobo: Hewlett-Packard model: 216B v: 30.26 serial: PDVVK018J5ZLCM
    UEFI: Insyde v: F.20 date: 03/14/2017
CPU:
  Info: model: AMD A8-4555M APU with Radeon HD Graphics socket: FT1 bits: 64
    type: MT MCP arch: Piledriver level: v2 built: 2012-13 process: GF 32nm
    family: 0x15 (21) model-id: 0x10 (16) stepping: 1 microcode: 0x6001119
  Topology: cpus: 1x cores: 4 smt: enabled cache: L1: 192 KiB
    desc: d-4x16 KiB; i-2x64 KiB L2: 4 MiB desc: 2x2 MiB
  Speed (MHz): avg: 1175 high: 1400 min/max: 1100/1600 boost: enabled
    base/boost: 1600/1600 scaling: driver: acpi-cpufreq governor: schedutil
    volts: 0.9 V ext-clock: 100 MHz cores: 1: 1400 2: 1100 3: 1100 4: 1100
    bogomips: 12776
  Flags: avx ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm
  Vulnerabilities:
  Type: retbleed mitigation: untrained return thunk; SMT vulnerable
  Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via
    prctl
  Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer
    sanitization
  Type: spectre_v2 mitigation: Retpolines, STIBP: disabled, RSB filling,

No zenbleeds, but then this laptop is too old and set in its ways to become zen-enlightened. Most likely the latest AMD microcode wouldn't affect it, anyway. I suppose I should check with HP for a firmware update someday, though.

CC: (none) => andrewsfarm

Comment 18 Thomas Andrews 2024-02-03 15:16:51 CET

(In reply to Thomas Andrews from comment #17)

>   Mobo: Hewlett-Packard model: 216B v: 30.26 serial: PDVVK018J5ZLCM
>     UEFI: Insyde v: F.20 date: 03/14/2017

> I suppose I should check with HP for a firmware update someday,
> though.

Nope. According to HP Support, F.20 is the latest one.

Comment 19 Dave Hodgins 2024-02-03 17:23:28 CET

No regressions on my systems. The Amd cpu family 0x17 (23) still not having
been patched for zenbleed likely just means that will not happen until a
future microcode update, assuming the update includes the latest microcode
currently available. My cpu is an AMD Ryzen 7 4800H with Radeon Graphics.

If no one has found a regression, this update should be validated.

Comment 20 Morgan Leijström 2024-02-03 23:35:01 CET

Asus Aspire 7: new dracut and microcode OK

$ journalctl -xb | grep microcode
feb 02 18:45:00 aspire7-kajsa kernel: microcode: updated early: 0x5e -> 0xf4, date = 2023-02-23
feb 02 18:45:00 aspire7-kajsa kernel: microcode: Microcode Update Driver: v2.2.

$ inxi -C
CPU:
  Info: quad core model: Intel Core i5-7300HQ bits: 64 type: MCP cache:
    L2: 1024 KiB
  Speed (MHz): avg: 800 min/max: 800/3500 cores: 1: 800 2: 800 3: 800 4: 800

$ uname -a
Linux aspire7-kajsa 6.6.14-desktop-2.mga9 #1 SMP PREEMPT_DYNAMIC Tue Jan 30 15:48:16 UTC 2024 x86_64 GNU/Linux

Comment 21 Brian Rockwell 2024-02-04 04:19:34 CET

MGA9-64, Xfce, Celeron N2840, Chromebook

working as expected.

CC: (none) => brtians1

Comment 22 Thomas Andrews 2024-02-04 16:48:42 CET

(In reply to Dave Hodgins from comment #19)
> 
> If no one has found a regression, this update should be validated.

Sounds like a good idea to me. Time to move on.

Giving this an OK, and validating.

Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 23 Thomas Andrews 2024-02-06 13:34:31 CET

One more test, as long as I have this machine running this morning:

MGA9-64 Plasma on an HP Probook 6550b, i3 M350, Intel graphics, running the 6.6.14-2 desktop kernel. No installation issues. After a reboot:

# journalctl -b | grep microcode
Feb 06 07:19:23 localhost.localdomain kernel: microcode: updated early: 0xf -> 0x11, date = 2018-05-08
Feb 06 07:19:23 localhost.localdomain kernel: MDS: Vulnerable: Clear CPU buffers attempted, no microcode
Feb 06 07:19:23 localhost.localdomain kernel: microcode: Microcode Update Driver: v2.2.

So the microcode loads OK. I'm not surprised that it hasn't changed since 2018, as this laptop is around 14 years old.

Comment 24 Mageia Robot 2024-02-09 02:35:29 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0028.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.