KVM:x86/pmu:禁用对自适应 PEBS 的支持 (CVE-2024-26992)

CVE编号

CVE-2024-26992

利用情况

暂无

补丁情况

N/A

披露时间

2024-05-01
漏洞描述
In the Linux kernel, the following vulnerability has been resolved:

KVM: x86/pmu: Disable support for adaptive PEBS

Drop support for virtualizing adaptive PEBS, as KVM's implementation is
architecturally broken without an obvious/easy path forward, and because
exposing adaptive PEBS can leak host LBRs to the guest, i.e. can leak
host kernel addresses to the guest.

Bug #1 is that KVM doesn't account for the upper 32 bits of
IA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.g
fixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()
stores local variables as u8s and truncates the upper bits too, etc.

Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero value
for PEBS events, perf will _always_ generate an adaptive record, even if
the guest requested a basic record. Note, KVM will also enable adaptive
PEBS in individual *counter*, even if adaptive PEBS isn't exposed to the
guest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,
i.e. the guest will only ever see Basic records.

Bug #3 is in perf. intel_pmu_disable_fixed() doesn't clear the upper
bits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, and
intel_pmu_enable_fixed() effectively doesn't clear ICL_FIXED_0_ADAPTIVE
either. I.e. perf _always_ enables ADAPTIVE counters, regardless of what
KVM requests.

Bug #4 is that adaptive PEBS *might* effectively bypass event filters set
by the host, as "Updated Memory Access Info Group" records information
that might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.

Bug #5 is that KVM doesn't ensure LBR MSRs hold guest values (or at least
zeros) when entering a vCPU with adaptive PEBS, which allows the guest
to read host LBRs, i.e. host RIPs/addresses, by enabling "LBR Entries"
records.

Disable adaptive PEBS support as an immediate fix due to the severity of
the LBR leak in particular, and because fixing all of the bugs will be
non-trivial, e.g. not suitable for backporting to stable kernels.

Note! This will break live migration, but trying to make KVM play nice
with live migration would be quite complicated, wouldn't be guaranteed to
work (i.e. KVM might still kill/confuse the guest), and it's not clear
that there are any publicly available VMMs that support adaptive PEBS,
let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn't
support PEBS in any capacity.
解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接
https://git.kernel.org/stable/c/037e48ceccf163899374b601afb6ae8d0bf1d2ac
https://git.kernel.org/stable/c/0fb74c00d140a66128afc0003785dcc57e69d312
https://git.kernel.org/stable/c/7a7650b3ac23e5fc8c990f00e94f787dc84e3175
https://git.kernel.org/stable/c/9e985cbf2942a1bb8fcef9adc2a17d90fd7ca8ee
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
系统 debian_10 linux * Up to
(excluding)
4.19.304-1
运行在以下环境
系统 debian_11 linux * Up to
(excluding)
5.10.209-2
运行在以下环境
系统 fedora_38 kernel * Up to
(excluding)
6.8.8-100.fc38
运行在以下环境
系统 fedora_39 kernel * Up to
(excluding)
6.8.8-200.fc39
运行在以下环境
系统 fedora_40 kernel * Up to
(excluding)
6.8.8-300.fc40
CVSS3评分
N/A
  • 攻击路径
    N/A
  • 攻击复杂度
    N/A
  • 权限要求
    N/A
  • 影响范围
    N/A
  • 用户交互
    N/A
  • 可用性
    N/A
  • 保密性
    N/A
  • 完整性
    N/A
N/A
CWE-ID 漏洞类型
阿里云安全产品覆盖情况