Linux Kernel Out-of-Bounds Access Vulnerability in AMD Microcode Loading on NUMA Systems

A vulnerability in the Linux kernel's handling of microcode updates for AMD processors can lead to an out-of-bounds memory access. This issue arises on systems with CPU-less NUMA nodes, where the first CPU in a node's CPU mask cannot be determined. The flaw occurs in the 'load_microcode_amd' function, which iterates over all NUMA nodes and accesses per-CPU data based on the first CPU of each node. On machines with far memory and CPU-less NUMA nodes, this results in accessing an invalid index in the per-CPU data array, potentially corrupting memory during a microcode update. While this vulnerability does not have security implications, it could disrupt system reliability by mishandling memory during the microcode flashing process.

Impact

Exploitation of this vulnerability causes a memory corruption issue by accessing an out-of-bounds index in the per-CPU data array, which can lead to undefined behavior in the kernel.

Reproduction

To reproduce this vulnerability, boot an AMD machine with CPU-less NUMA nodes and the 'CONFIG_UBSAN_BOUNDS' option enabled. This will trigger the out-of-bounds access when the system attempts to load microcode updates, resulting in a UBSAN (Undefined Behavior Sanitizer) error indicating an array index out-of-bounds condition.

Remediation

The vulnerability has been addressed by modifying the microcode loading process to skip NUMA nodes without CPUs, preventing the out-of-bounds access. Users should ensure they are running a version of the Linux kernel that includes this fix.