{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/446598#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\n\r\nGeneral-purpose graphics processing unit (GPGPU) platforms from AMD, Apple, and Qualcomm fail to adequately isolate process memory, thereby enabling a local attacker to read memory from other processes. An attacker with access to GPU capabilities using a vulnerable GPU's programmable interface can access memory that is expected to be isolated from other users and processes.  \r\n\r\n### Description\r\n\r\nGraphics processing units (GPUs), originally used to accelerate computer graphics, have today become the standard hardware accelerators for scientific computing and articifical intelligence / machine learning (AI/ML) applications due to their massive parallelism and high memory bandwidth. A GPGPU platform provides the ability to copy CPU memory to the GPU in order to perform these high-end computing tasks. The GPU kernel, essentially a user-provided C-like program that executes on the GPU, performs such intense numerical computations on the memory copied data. Afterwards, the CPU can copy the data back to present to the user or perform other tasds. This GPU-enabled high-performance computing is beneficial in many domains, including the training of artificial neural networks, doing inference on neural networks, and scientific computing. GPGPU platforms are useful in accelerating any task where operations such as matrix multiplication dominate the computation time. While GPGPUs are an essential part of large-scale ML implementations, such as Large Language Models (LLMs), they also serve a role as accelerators in client computing from applications to middleware. Standards, such as [OpenCL](https://www.khronos.org/opencl/) (Open Computing Language) and Apple’s [Metal](https://developer.apple.com/metal/), are frameworks that provide specifications for enabling such \"close-to-metal\" programming by giving applications direct access to these rich GPU computing capabilities on mobile devices and in high-performance computing datacenters.\r\n\r\nResearchers at Trail of Bits have uncovered a vulnerability in which a GPU kernel can observe memory values from a different GPU kernel, even when these two kernels are isolated between applications, processes, or users. The specific region of memory that this behavior was observed is referred to as `local memory`, essentially this is a software-managed cache, similar to the L1 cache in CPUs. The size of this memory region can vary across GPUs from 10’s of KB to several MB. Trail of Bits have shown that this vulnerability can be observed through various programming interfaces, including Metal, Vulkan, and OpenCL, on various combinations of operating systems and drivers. Trail of Bits' research and testing, utilizing open-source software libraries, have identified platforms from AMD, Apple, and Qualcomm that exhibit this behavior. During the testing phase, this issue was not observed on NVIDIA devices. For further information review the information provided by Apple, AMD and Google in the *Vendor Information* section.\r\n\r\nResearcher Tyler Sorenson, from Tail of Bits, states: \r\n>Due to the fact that most DNN computations (matrix multiplication and convolutions) make heavy use of local memory, the researchers also believe many ML implementations, both in the embedded domain as well as datacenter domain, may be impacted by this vulnerability.\r\n\r\nThe security researchers at Trail of Bits have labeled this vulnerability `LeftoverLocals` in order to identify this vulnerability when discussing across multiple GPU platforms.  \r\n\r\nThe GPU marketplace contains a wide and complex software supply-chain to facilitate the adoption of the advanced capabilities of GPUs. We expect that resolving these issues will require multiple stakeholders from hardware manufacturers, software library providers, programmers, system integrators standards bodies to cooperate. [Prior resaerch work in this area](https://dl.acm.org/doi/10.1145/2801153) has shown that resolving these issues may require a multi-pronged, ongoing-process approach.\r\n\r\n### Impact\r\n \r\nAn attacker with access to a GPU programmable interface, like OpenCL or Metal, can craft and install a malicious application capable of recording a dump of uninitialized local memory (leftover from an earlier application) that may contain sensitive data. Additionally, the attacker can read data from another GPU kernel that is currently processing data, leading to the leakage of sensitive information considered private to an application, process, or user.\r\n\r\n### Solution\r\n\r\n#### GPU Software Developers \r\nGPU software developers are advised to review their vendor provided updates and use the latest available libraries and security capabilities to protect sensitive data in their applications. GPU software developers are also urged to review their applications for data privacy when leveraging such high-performance computing capabilities. \r\n\r\n#### GPU users \r\nReview the *Vendor Information* section for software updates and additional information provided by the vendors, ensure your devices are up to date and have the security protection provided by your vendors. \r\n\r\n\r\n### Acknowledgements\r\n\r\nTyler Sorensen, along with the ML safety team, of [Trail of Bits](https://www.trailofbits.com) researched and reported these vulnerabilities. Vendors and the Khronos Group worked closely with us and other stakeholders to enable coordinated disclosure of these vulnerabilities. This document was written by Ben Koo and Vijay Sarvepalli.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"We want to thank the researchers for their collaboration as this research advances our understanding of these types of threats. Fixes for the issues outlined in this research shipped with the M3 and A17 processors.","title":"Vendor statment from Apple"},{"category":"other","text":"Imagination released a fix in their latest DDK release, 23.3, made available to customers in December 2023.","title":"Vendor statment from Imagination Technologies"},{"category":"other","text":"Our development teams investigated this finding and determined we are not affected by this issue.","title":"Vendor statment from NVIDIA"},{"category":"other","text":"CRM:0456000399\r\nThank you again for submitting this issue to Microsoft. We determined that this behavior is considered to be by design.\r\n\r\nWe have closed this case.","title":"Vendor statment from Microsoft"},{"category":"other","text":"Arm has analyzed the PoC and the output it has produced, and has concluded that Mali is unaffected by this issue. The non-zero data seen in the PoC is due to memory reuse from within the process. We can confirm that no data was leaked from one userspace process to another.","title":"Vendor statment from ARM Limited"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/446598"},{"url":"https://registry.khronos.org/OpenCL/specs/3.0-unified/html/OpenCL_API.html#_fundamental_memory_regions","summary":"https://registry.khronos.org/OpenCL/specs/3.0-unified/html/OpenCL_API.html#_fundamental_memory_regions"},{"url":"https://www.vulkan.org","summary":"https://www.vulkan.org"},{"url":"https://developer.mozilla.org/en-US/docs/Web/API/WebGPU_API","summary":"https://developer.mozilla.org/en-US/docs/Web/API/WebGPU_API"},{"url":"https://researchcomputing.princeton.edu/support/knowledge-base/gpu-computing","summary":"https://researchcomputing.princeton.edu/support/knowledge-base/gpu-computing"},{"url":"https://developer.apple.com/documentation/metal/performing_calculations_on_a_gpu","summary":"https://developer.apple.com/documentation/metal/performing_calculations_on_a_gpu"},{"url":"https://source.android.com/docs/core/graphics/arch-vulkan","summary":"https://source.android.com/docs/core/graphics/arch-vulkan"},{"url":"https://developer.nvidia.com/cuda-toolkit","summary":"https://developer.nvidia.com/cuda-toolkit"},{"url":"https://www.amd.com/en/technologies/vulkan","summary":"https://www.amd.com/en/technologies/vulkan"},{"url":"https://developer.arm.com/Processors/Mali-G78","summary":"https://developer.arm.com/Processors/Mali-G78"},{"url":"https://www.imaginationtech.com/product/ge8320/","summary":"https://www.imaginationtech.com/product/ge8320/"},{"url":"https://dl.acm.org/doi/10.1145/2801153","summary":"https://dl.acm.org/doi/10.1145/2801153"},{"url":"https://arxiv.org/pdf/1605.06610.pdf","summary":"https://arxiv.org/pdf/1605.06610.pdf"},{"url":"https://www.amd.com/en/resources/product-security/bulletin/amd-sb-6010.html","summary":"Reference(s) from vendor \"AMD\""},{"url":"https://www.imaginationtech.com/gpu-driver-vulnerabilities/#jan24","summary":"Reference(s) from vendor \"Imagination Technologies\""}],"title":"GPU kernel implementations susceptible to memory leak","tracking":{"current_release_date":"2024-01-17T15:27:17+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#446598","initial_release_date":"2024-01-16 16:59:23.687634+00:00","revision_history":[{"date":"2024-01-17T15:27:17+00:00","number":"1.20240117152717.2","summary":"Released on 2024-01-17T15:27:17+00:00"}],"status":"final","version":"1.20240117152717.2"}},"vulnerabilities":[{"title":"A GPU kernel can read sensitive data from another GPU kernel (even from another user or app) through an optimized GPU memory region called _local memory_ on various architectures.","notes":[{"category":"summary","text":"A GPU kernel can read sensitive data from another GPU kernel (even from another user or app) through an optimized GPU memory region called _local memory_ on various architectures."}],"cve":"CVE-2023-4969","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#446598"}],"product_status":{"known_affected":["CSAFPID-5fbd5bae-39cf-11f1-8422-122e2785dc9f","CSAFPID-5fbe31e6-39cf-11f1-8422-122e2785dc9f","CSAFPID-5fbfcd62-39cf-11f1-8422-122e2785dc9f","CSAFPID-5fc01c0e-39cf-11f1-8422-122e2785dc9f","CSAFPID-5fc04dfa-39cf-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-5fbe8b28-39cf-11f1-8422-122e2785dc9f","CSAFPID-5fbed1fa-39cf-11f1-8422-122e2785dc9f","CSAFPID-5fbf0846-39cf-11f1-8422-122e2785dc9f","CSAFPID-5fbf3956-39cf-11f1-8422-122e2785dc9f","CSAFPID-5fbf6f8e-39cf-11f1-8422-122e2785dc9f","CSAFPID-5fbf9784-39cf-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Imagination Technologies","product":{"name":"Imagination Technologies Products","product_id":"CSAFPID-5fbd5bae-39cf-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Google","product":{"name":"Google Products","product_id":"CSAFPID-5fbda9d8-39cf-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Android Open Source Project","product":{"name":"Android Open Source Project Products","product_id":"CSAFPID-5fbe31e6-39cf-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"NVIDIA","product":{"name":"NVIDIA Products","product_id":"CSAFPID-5fbe8b28-39cf-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Intel","product":{"name":"Intel Products","product_id":"CSAFPID-5fbed1fa-39cf-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Vivante Health","product":{"name":"Vivante Health Products","product_id":"CSAFPID-5fbf0846-39cf-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Adobe","product":{"name":"Adobe Products","product_id":"CSAFPID-5fbf3956-39cf-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Microsoft","product":{"name":"Microsoft Products","product_id":"CSAFPID-5fbf6f8e-39cf-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"ARM Limited","product":{"name":"ARM Limited Products","product_id":"CSAFPID-5fbf9784-39cf-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Apple","product":{"name":"Apple Products","product_id":"CSAFPID-5fbfcd62-39cf-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"AMD","product":{"name":"AMD Products","product_id":"CSAFPID-5fc01c0e-39cf-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Red Hat","product":{"name":"Red Hat Products","product_id":"CSAFPID-5fc04dfa-39cf-11f1-8422-122e2785dc9f"}}]}}