Gather Data Sampling (GDS)

Malicious software may be able to infer data previously stored in vector registers1 used by either the same thread, or the sibling thread on the same physical core. These registers may have been used by other security domains such as other virtual machine (VM) guests, the operating system (OS) kernel, or Intel® Software Guard Extensions (Intel® SGX) enclaves. Note that no processors that support Intel® Trust Domain Extension (Intel® TDX) are affected by GDS.

Gather is a feature provided by Intel® Advanced Vector Extensions 2 (Intel® AVX2) and Intel® Advanced Vector Extensions 512 (Intel® AVX-512) . It comprises a collection of single-instruction, multiple data (SIMD) instructions which fetch non-contiguous data elements from memory using vector-index memory addressing.

When a gather instruction performs loads from memory, different data elements are merged into the destination vector register according to the mask specified. In some situations, due to hardware optimizations specific to gather instructions, stale data from previous usage of architectural or internal vector registers may get transiently forwarded to dependent instructions without being updated by the gather loads. These dependent instructions may allow a malicious attacker to infer stale vector register data that is transmitted through a covert channel, such as shared CPU cache.

The scope of stale data exposure through this behavior is limited to the same physical processor core. An attacker with local code execution ability may observe stale data from the same physical processor core on a sampling basis (in this sense, GDS is similar to MDS) but cannot directly control or specify what data can be inferred.

Inferring stale data using a GDS attack requires malicious code to use gather instructions. However, GDS attacks can affect software which does not use gather instructions. Such attacks can expose data processed by instructions that use architectural vector registers explicitly (for example, SIMD or scalar SSE and Intel AVX instructions) as well as those that use internal vector registers implicitly (for example, REP MOVS instructions).