Gather Data Sampling (GDS) is a transient execution side channel vulnerability affecting certain Intel processors.
This issue may allow a local attacker using gather instruction (load from memory) to infer stale data from previously used vector registers on the same physical core.
Add a kernel parameter gather_data_sampling=force that will enable the
microcode mitigation if available, otherwise it will disable AVX on
affected systems.
This option will be ignored if cmdline mitigations=off.
This is a *big* hammer. It is known to break buggy userspace that
uses incomplete, buggy AVX enumeration.
All users running Talos with untrusted or shared workloads on affected Intel CPU's must upgrade both Talos and install the latest Intel ucode Talos extension based on the threat model.
Impact
Gather Data Sampling (GDS) is a transient execution side channel vulnerability affecting certain Intel processors.
This issue may allow a local attacker using gather instruction (load from memory) to infer stale data from previously used vector registers on the same physical core.
Patches
Intel has released microcode updates and Talos extensions has been updated to the latest Intel microcode available as of August 8th, 2023. The main advisories fixed by the microcode are:
Talos would also be shipping 6.1.44 version of the upstream Linux kernel (6.1 is the upstream Kernel long term version Talos ships with). Talos >= v1.4.8 is shipped with Linux Kernel 6.1.44 providing a software workaround if the microcode has not been updated.
Workarounds
All users running Talos with untrusted or shared workloads on affected Intel CPU's must upgrade both Talos and install the latest Intel ucode Talos extension based on the threat model.
References