Linux Kernel AMD Zen Instruction Fetch Unit Poison Error Context Handling Vulnerability

A vulnerability exists in the Linux kernel's handling of poison consumption errors from the Instruction Fetch (IF) units on AMD Zen-based systems. These errors do not reliably trigger a synchronous Machine Check (#MC) exception, resulting in the absence of crucial context information. Although the exact instruction pointer (rIP) cannot be determined, the context remains unchanged. This vulnerability can lead to incorrect assumptions about the error's origin, causing unnecessary kernel panics. The issue arises because the Machine Check Global Status (MCG_STATUS) does not reflect the poison error, leaving the Code Segment (CS) register as the only valid context indicator. Without proper handling, the kernel misinterprets the error as occurring in kernel space, triggering a panic.

Impact

Failure to correctly manage poison consumption errors can cause the kernel to panic, mistakenly believing the error originated in kernel context. This misinterpretation can disrupt system stability and availability.

Reproduction

The vulnerability can be reproduced on an AMD Zen-based system running a vulnerable version of the Linux kernel. When a poison consumption error occurs in the Instruction Fetch unit, the MCG_STATUS registers will not indicate the error's presence. However, the context of the error can be accessed through the CS register. The kernel's error handling will incorrectly assume the poison was consumed in kernel space, leading to a panic.

Remediation

Users can upgrade to the latest version of the Linux kernel, where this vulnerability has been addressed. Instructions for downloading the patched kernel are available on the official Linux kernel website.