Aikin kwanan nan An sanar da Gsecurity ta hanyar bugawa bayanai da kuma demo hanyar kai hari don sabon rauni (an riga an jera su kamar CVE-2021-26341) akan na'urori masu sarrafawa na AMD masu alaƙa da aiwatar da ƙa'idodi masu ƙima bayan ayyukan tsalle-tsalle marasa ka'ida.
Ularfafawa damar da processor to speculatively aiwatar umarnin nan da nan bayan umarnin tsalle (SLS) a cikin ƙwaƙwalwar ajiya yayin aiwatar da hasashe. A lokaci guda, irin wannan haɓakawa yana aiki ba kawai ga masu aikin tsalle-tsalle na sharaɗi ba, har ma don umarnin da suka haɗa da tsalle-tsalle kai tsaye ba tare da sharadi ba, kamar JMP, RET, da CALL.
Ana iya bin umarnin reshe mara ƙa'ida ta hanyar bayanan sabani waɗanda ba a yi niyya don aiwatarwa ba. Bayan tabbatar da cewa reshe bai ƙunshi aiwatar da magana ta gaba ba. Processor kawai yana jujjuya jihar baya kuma yayi watsi da aiwatar da hasashe, amma alamar aiwatar da umarni ya kasance a cikin ma'auni na gaba ɗaya kuma yana samuwa don bincike ta amfani da hanyoyin dawo da tashar ta gefe.
AMD yana ba da sabuntawa don ƙaddamar da shawarar da aka ba da shawarar, G-5 ragewa, a cikin "Hanyoyin Software don Sarrafa Hasashen a cikin masu sarrafa AMD" farar takarda. Ragewar G-5 yana taimakawa magance yuwuwar raunin da ke tattare da hasashe na umarnin reshe.
Masu sarrafawa na AMD na iya aiwatar da umarni na ɗan lokaci bin reshe na gaba mara sharadi wanda zai iya haifar da ayyukan cache
Kamar yadda tare da amfani da Specter-v1, hari yana buƙatar kasancewar wasu jeri na umarnin (na'urori) a cikin kwaya, wanda ke haifar da kisa.
A wannan yanayin, toshe rashin lahani yana ƙasa don gano irin waɗannan na'urori a cikin lambar da ƙara ƙarin umarni gare su waɗanda ke toshe kisa mai ƙima. Hakanan za'a iya ƙirƙira sharuɗɗan aiwatar da hasashe ta amfani da shirye-shirye marasa gata da ke gudana akan na'urar kama-da-wane ta eBPF.
Wannan binciken ya haifar da gano wani sabon rauni, CVE-2021-26341 [1] , wanda za mu tattauna dalla-dalla a cikin wannan labarin. Kamar yadda aka saba, za mu mai da hankali kan ɓangarorin fasaha na raunin rauni, raguwar da AMD ta ba da shawarar, da kuma abubuwan amfani.
Don toshe ikon gina na'urori ta amfani da eBPF, ana ba da shawarar a kashe rashin gata zuwa eBPF a cikin tsarin ("sysctl -w kernel.unprivileged_bpf_disabled=1").
Rashin lahani yana rinjayar masu sarrafawa dangane da Zen1 da Zen2 microarchitecture:
Desk
- AMD Athlon ™ X4 processor
- AMD Ryzen ™ Threadripper ™ Processor Processor
- XNUMXnd Generation AMD Ryzen™ Threadripper™ Processors
- XNUMXrd Generation AMD Ryzen™ Threadripper™ Processors
- XNUMXth Generation AMD A-jerin APU
- AMD Ryzen™ 2000 Series Desktop Processors
- AMD Ryzen™ 3000 Series Desktop Processors
- AMD Ryzen ™ 4000 Series Desktop Processors tare da Radeon™ Graphics
Mobile
- AMD Ryzen™ 2000 Series Mobile Processor
- AMD Athlon™ 3000 Series Mobile Processors tare da Radeon™ Graphics
- AMD Ryzen™ 3000 Series Mobile Processors ko na XNUMXnd Generation AMD Ryzen™ Mobile Processors tare da Radeon™ Graphics
- AMD Ryzen ™ 4000 Series Mobile Processors tare da Radeon™ Graphics
- AMD Ryzen ™ 5000 Series Mobile Processors tare da Radeon™ Graphics
Chromebook
- AMD Athlon™ Mobile Processors tare da Radeon™ Graphics
Sabis
- Farkon ƙarni na AMD EPYC™ Processors
- XNUMXnd Generation AMD EPYC™ Processors
An ambaci cewa idan harin ya yi nasara. rashin lahani yana ba da damar ƙayyade abubuwan da ke cikin wuraren ƙwaƙwalwar ajiya na sabani.
Saboda wannan raunin, yana iya yiwuwa a iya gano ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun lambobi amma masu yuwuwar yin amfani da na'urorin SLS akan CPUs da abin ya shafa. Kamar yadda aka nuna tare da misalin eBPF, kuma yana yiwuwa a yi amfani da rauni tare da na'urorin da aka gina da hannu, na'urorin allurar da kai. Ana iya amfani da hanyar da aka gabatar, alal misali, don karya rage rage KASLR na Linux kernel.
Misali, masu bincike sun shirya wani amfani wanda zai ba ka damar tantance tsarin adireshin da ketare hanyar kariya ta KASLR (kwayar ƙwaƙwalwar kernel) ta aiwatar da lambar ba tare da gata ba a cikin tsarin kernel na eBPF, ban da sauran yanayin harin da zai iya zubar da Abubuwan da ke cikin ƙwaƙwalwar kernel ba a cire su ba.
Finalmente idan kuna sha'awar ƙarin sani game da shi, zaka iya duba bayanan A cikin mahaɗin mai zuwa.