CVE-2023-4969: 
NixOS vulnerability analysis and mitigation

CVE-2023-4969 is a vulnerability discovered in GPU kernel implementations where a GPU kernel can read sensitive data from another GPU kernel (even from another user or app) through an optimized GPU memory region called local memory on various architectures. The vulnerability was disclosed on January 16, 2024, affecting multiple GPU platforms including AMD, Apple, and Qualcomm (CERT VU).

The vulnerability exists in the local memory region of GPUs, which functions as a software-managed cache similar to L1 cache in CPUs. The size of this vulnerable memory region varies across GPUs from 10's of KB to several MB. The issue has been observed through various programming interfaces, including Metal, Vulkan, and OpenCL, on different combinations of operating systems and drivers. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (NVD).

An attacker with access to a GPU programmable interface can craft and install a malicious application capable of recording uninitialized local memory content from previous applications, potentially containing sensitive data. The vulnerability also allows reading data from another GPU kernel that is currently processing data, leading to the leakage of sensitive information considered private to an application, process, or user. This is particularly concerning for ML implementations, as most DNN computations make heavy use of local memory (CERT VU).

Apple has released fixes for the issues with their M3 and A17 processors. Imagination Technologies has addressed the vulnerability in their latest DDK release 23.3, made available to customers in December 2023. AMD has announced plans to create a new mode to prevent this attack, with more information expected in March 2024. GPU software developers are advised to review their vendor-provided updates and use the latest available libraries and security capabilities to protect sensitive data in their applications (CERT VU).

The security researchers at Trail of Bits have labeled this vulnerability 'LeftoverLocals'. The GPU marketplace's complex software supply chain means that resolving these issues will require cooperation between multiple stakeholders, including hardware manufacturers, software library providers, programmers, system integrators, and standards bodies (CERT VU).