search menu icon-carat-right cmu-wordmark

CERT Coordination Center

GPU kernel implementations susceptible to memory leak

Vulnerability Note VU#446598

Original Release Date: 2024-01-16 | Last Revised: 2024-01-17

Overview

General-purpose graphics processing unit (GPGPU) platforms from AMD, Apple, and Qualcomm fail to adequately isolate process memory, thereby enabling a local attacker to read memory from other processes. An attacker with access to GPU capabilities using a vulnerable GPU's programmable interface can access memory that is expected to be isolated from other users and processes.

Description

Graphics processing units (GPUs), originally used to accelerate computer graphics, have today become the standard hardware accelerators for scientific computing and articifical intelligence / machine learning (AI/ML) applications due to their massive parallelism and high memory bandwidth. A GPGPU platform provides the ability to copy CPU memory to the GPU in order to perform these high-end computing tasks. The GPU kernel, essentially a user-provided C-like program that executes on the GPU, performs such intense numerical computations on the memory copied data. Afterwards, the CPU can copy the data back to present to the user or perform other tasds. This GPU-enabled high-performance computing is beneficial in many domains, including the training of artificial neural networks, doing inference on neural networks, and scientific computing. GPGPU platforms are useful in accelerating any task where operations such as matrix multiplication dominate the computation time. While GPGPUs are an essential part of large-scale ML implementations, such as Large Language Models (LLMs), they also serve a role as accelerators in client computing from applications to middleware. Standards, such as OpenCL (Open Computing Language) and Apple’s Metal, are frameworks that provide specifications for enabling such "close-to-metal" programming by giving applications direct access to these rich GPU computing capabilities on mobile devices and in high-performance computing datacenters.

Researchers at Trail of Bits have uncovered a vulnerability in which a GPU kernel can observe memory values from a different GPU kernel, even when these two kernels are isolated between applications, processes, or users. The specific region of memory that this behavior was observed is referred to as local memory, essentially this is a software-managed cache, similar to the L1 cache in CPUs. The size of this memory region can vary across GPUs from 10’s of KB to several MB. Trail of Bits have shown that this vulnerability can be observed through various programming interfaces, including Metal, Vulkan, and OpenCL, on various combinations of operating systems and drivers. Trail of Bits' research and testing, utilizing open-source software libraries, have identified platforms from AMD, Apple, and Qualcomm that exhibit this behavior. During the testing phase, this issue was not observed on NVIDIA devices. For further information review the information provided by Apple, AMD and Google in the Vendor Information section.

Researcher Tyler Sorenson, from Tail of Bits, states:

Due to the fact that most DNN computations (matrix multiplication and convolutions) make heavy use of local memory, the researchers also believe many ML implementations, both in the embedded domain as well as datacenter domain, may be impacted by this vulnerability.

The security researchers at Trail of Bits have labeled this vulnerability LeftoverLocals in order to identify this vulnerability when discussing across multiple GPU platforms.

The GPU marketplace contains a wide and complex software supply-chain to facilitate the adoption of the advanced capabilities of GPUs. We expect that resolving these issues will require multiple stakeholders from hardware manufacturers, software library providers, programmers, system integrators standards bodies to cooperate. Prior resaerch work in this area has shown that resolving these issues may require a multi-pronged, ongoing-process approach.

Impact

An attacker with access to a GPU programmable interface, like OpenCL or Metal, can craft and install a malicious application capable of recording a dump of uninitialized local memory (leftover from an earlier application) that may contain sensitive data. Additionally, the attacker can read data from another GPU kernel that is currently processing data, leading to the leakage of sensitive information considered private to an application, process, or user.

Solution

GPU Software Developers

GPU software developers are advised to review their vendor provided updates and use the latest available libraries and security capabilities to protect sensitive data in their applications. GPU software developers are also urged to review their applications for data privacy when leveraging such high-performance computing capabilities.

GPU users

Review the Vendor Information section for software updates and additional information provided by the vendors, ensure your devices are up to date and have the security protection provided by your vendors.

Acknowledgements

Tyler Sorensen, along with the ML safety team, of Trail of Bits researched and reported these vulnerabilities. Vendors and the Khronos Group worked closely with us and other stakeholders to enable coordinated disclosure of these vulnerabilities. This document was written by Ben Koo and Vijay Sarvepalli.

Vendor Information

446598
 

AMD Affected

Notified:  2023-09-08 Updated: 2024-01-16

Statement Date:   January 11, 2024

CVE-2023-4969 Affected

Vendor Statement

We have not received a statement from the vendor.

References

Android Open Source Project Affected

Notified:  2023-09-15 Updated: 2024-01-16

Statement Date:   September 15, 2023

CVE-2023-4969 Affected

Vendor Statement

We have not received a statement from the vendor.

Apple Affected

Notified:  2023-09-08 Updated: 2024-01-16

Statement Date:   January 13, 2024

CVE-2023-4969 Affected

Vendor Statement

We want to thank the researchers for their collaboration as this research advances our understanding of these types of threats. Fixes for the issues outlined in this research shipped with the M3 and A17 processors.

Imagination Technologies Affected

Notified:  2024-01-14 Updated: 2024-01-17

Statement Date:   January 17, 2024

CVE-2023-4969 Affected

Vendor Statement

Imagination released a fix in their latest DDK release, 23.3, made available to customers in December 2023.

References

Red Hat Affected

Notified:  2023-09-19 Updated: 2024-01-16

Statement Date:   January 08, 2024

CVE-2023-4969 Affected

Vendor Statement

We have not received a statement from the vendor.

Adobe Not Affected

Notified:  2023-09-26 Updated: 2024-01-16

Statement Date:   October 18, 2023

CVE-2023-4969 Not Affected

Vendor Statement

We have not received a statement from the vendor.

ARM Limited Not Affected

Notified:  2023-09-15 Updated: 2024-01-16

Statement Date:   December 05, 2023

CVE-2023-4969 Not Affected

Vendor Statement

Arm has analyzed the PoC and the output it has produced, and has concluded that Mali is unaffected by this issue. The non-zero data seen in the PoC is due to memory reuse from within the process. We can confirm that no data was leaked from one userspace process to another.

Intel Not Affected

Notified:  2023-09-11 Updated: 2024-01-16

Statement Date:   September 29, 2023

CVE-2023-4969 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Microsoft Not Affected

Notified:  2023-09-19 Updated: 2024-01-16

Statement Date:   November 15, 2023

CVE-2023-4969 Not Affected

Vendor Statement

CRM:0456000399 Thank you again for submitting this issue to Microsoft. We determined that this behavior is considered to be by design.

We have closed this case.

NVIDIA Not Affected

Notified:  2023-09-11 Updated: 2024-01-16

Statement Date:   September 29, 2023

CVE-2023-4969 Not Affected

Vendor Statement

Our development teams investigated this finding and determined we are not affected by this issue.

Vivante Health Not Affected

Notified:  2023-10-03 Updated: 2024-01-16

Statement Date:   October 18, 2023

CVE-2023-4969 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Broadcom Unknown

Notified:  2023-09-26 Updated: 2024-01-16

CVE-2023-4969 Unknown

Vendor Statement

We have not received a statement from the vendor.

Codeplay Unknown

Notified:  2023-09-27 Updated: 2024-01-16

CVE-2023-4969 Unknown

Vendor Statement

We have not received a statement from the vendor.

Electronic Arts Unknown

Notified:  2023-09-26 Updated: 2024-01-16

CVE-2023-4969 Unknown

Vendor Statement

We have not received a statement from the vendor.

Google Unknown

Notified:  2023-09-11 Updated: 2024-01-16

Statement Date:   September 15, 2023

CVE-2023-4969 Unknown

Vendor Statement

We have not received a statement from the vendor.

IBM Unknown

Notified:  2023-09-26 Updated: 2024-01-16

CVE-2023-4969 Unknown

Vendor Statement

We have not received a statement from the vendor.

JPCERT/CC Vulnerability Handling Team Unknown

Notified:  2023-09-27 Updated: 2024-01-16

CVE-2023-4969 Unknown

Vendor Statement

We have not received a statement from the vendor.

Khronos Group Unknown

Notified:  2023-09-19 Updated: 2024-01-16

CVE-2023-4969 Unknown

Vendor Statement

We have not received a statement from the vendor.

MediaTek Unknown

Notified:  2023-09-26 Updated: 2024-01-16

CVE-2023-4969 Unknown

Vendor Statement

We have not received a statement from the vendor.

Motorola Unknown

Notified:  2023-09-11 Updated: 2024-01-16

CVE-2023-4969 Unknown

Vendor Statement

We have not received a statement from the vendor.

NXP Semiconductors Inc. Unknown

Notified:  2023-10-02 Updated: 2024-01-16

CVE-2023-4969 Unknown

Vendor Statement

We have not received a statement from the vendor.

Onsemi Unknown

Notified:  2023-09-26 Updated: 2024-01-16

CVE-2023-4969 Unknown

Vendor Statement

We have not received a statement from the vendor.

Qualcomm Unknown

Notified:  2023-09-08 Updated: 2024-01-16

CVE-2023-4969 Unknown

Vendor Statement

We have not received a statement from the vendor.

Samsung Unknown

Notified:  2023-09-26 Updated: 2024-01-16

CVE-2023-4969 Unknown

Vendor Statement

We have not received a statement from the vendor.

Samsung Semiconductor Unknown

Notified:  2024-01-12 Updated: 2024-01-16

CVE-2023-4969 Unknown

Vendor Statement

We have not received a statement from the vendor.

Sony Unknown

Notified:  2023-09-26 Updated: 2024-01-16

CVE-2023-4969 Unknown

Vendor Statement

We have not received a statement from the vendor.

Stream HPC Unknown

Notified:  2023-10-05 Updated: 2024-01-16

CVE-2023-4969 Unknown

Vendor Statement

We have not received a statement from the vendor.

Texas Instruments Unknown

Notified:  2023-09-26 Updated: 2024-01-16

CVE-2023-4969 Unknown

Vendor Statement

We have not received a statement from the vendor.

VeriSilicon Unknown

Notified:  2023-10-03 Updated: 2024-01-16

CVE-2023-4969 Unknown

Vendor Statement

We have not received a statement from the vendor.

Xilinx Unknown

Notified:  2023-09-26 Updated: 2024-01-16

CVE-2023-4969 Unknown

Vendor Statement

We have not received a statement from the vendor.

YetiWare Unknown

Notified:  2023-10-03 Updated: 2024-01-16

CVE-2023-4969 Unknown

Vendor Statement

We have not received a statement from the vendor.

View all 31 vendors View less vendors


Other Information

CVE IDs: CVE-2023-4969
API URL: VINCE JSON | CSAF
Date Public: 2024-01-16
Date First Published: 2024-01-16
Date Last Updated: 2024-01-17 15:27 UTC
Document Revision: 2

Sponsored by CISA.