Vatsvagiri veboka reGoogle Project Zero vakafumura mazuva mashoma apfuura mu blog post iyo vaona kushupika (CVE-2021-29657) muKVM hypervisor (yakavhurika sosi yeLinux-based hypervisor inotsigira hardware-inomhanyisa kuona pa x86, ARM, PowerPC, uye S / 390) iyo inokutendera iwe kuti udzivise kupatsanurwa kweiyo system yevaenzi uye unomhanya kodhi yako padivi renharaunda.
Iyo posvo inotaura kuti dambudziko inoratidza kubva kuLinux kernel 5.10-rc1 kusvika v5.12-rc6, kureva inovhara chete tsanga 5.10 uye 5.11 (Mazhinji ematavi akatsiga ekugovera haana kukanganiswa nedambudziko.) Dambudziko riripo mune nested_svm_vmrun mashandiro, inoitwa uchishandisa iyo AMD SVM (Yakachengeteka Virtual Machine) kuwedzera uye ichibvumira nested kuvhurwa kwevaenzi masisitimu.
Mune ino blog posvo, ini ndinotsanangura kushushikana mune iyo AMD-yakatarwa KVM kodhi uye nekukurukura kuti iyi bhaggi ingashanduka sei kuita yakakwana chaiyo muchina kutiza. Sekuziva kwangu, iyi ndiyo yekutanga ruzhinji kunyora-kweiyo KVM muyenzi-kune-kuitisa kubhuroka iyo isingavimbe nemabhugi mune mushandisi-nzvimbo yezvinhu senge QEMU.
Iyo bhagi yakakurukurwa yakapihwa CVE-2021-29657, inokanganisa kernel vhezheni v5.10-rc1 kusvika v5.12-rc6, uye yakametwa mukupera kwaKurume 2021. Sezvo bhagi rakazotanga kushandiswa muv5.10 uye rikawanikwa pamusoro pemwedzi mishanu gare gare, mazhinji chaiwo -KVM anotumirwa haafanire kukanganiswa. Ini ndichiri kufunga kuti dambudziko inyaya inonakidza yekudzidza mune basa rinodiwa kuvaka yakagadzikana muyenzi-ku-host kutiza kuzorwa neKVM uye ndinovimba chinyorwa ichi chingaite nyaya yekuti hypervisor kukanganisa hakusi kungori dzidziso dzezvinetso.
Vatsvaguriri vanotaura kuti pakuitwa kwakanaka kweichi chiitiko, iyo hypervisor inofanira kutora mese mirairo yeSVM mhanya pamaitiro evashanyi, tevedzera maitiro ayo uye enzanisa nyika neyakaomarara, rinova basa rakaoma.
Mushure mekuongorora kurongwa kweKVM, vatsvagiris yakasangana nekanganiso ine musoro inobvumidza izvo zvemukati meMSR (Model-yakatarwa kunyoreswa) yeiye anotambira kufurirwa kubva kumuenzi system, iyo inogona kushandiswa kuita kodhi padanho rekutambira.
Kunyanya, kuita VMRUN kushanda kubva kune wechipiri nested nhanho muyenzi (L2 yakatangwa kubva kune mumwe muenzi) inotungamira kune yechipiri kufona kune nested_svm_vmrun uye inoshatisa iyo svm-> nested.hsave chimiro, chakaputirwa nedata kubva ku vmcb kubva kuL2 muyenzi system .
Nekuda kweizvozvo, mamiriro ezvinhu anomuka apo padanho revaeni reL2 zvichikwanisika kusunungura ndangariro mu svm-> nested.msrpm mamiriro, ayo anochengeta iyo MSR bit, kunyangwe ichiri kuramba ichishandiswa, uye kuwana iyo MSR yemuenzi. nharaunda.
Izvi zvinoreva, semuenzaniso, kuti ndangariro yemuenzi inogona kuongororwa nekurasa iyo yakayeukwa ndangariro yenzvimbo yayo yemushandisi nzvimbo kana iyo miganho yesource yenguva yeCPU uye ndangariro zvinogona kumanikidzwa nyore.
Uye zvakare, KVM inogona kuburitsa yakawanda yebasa inoenderana nekuteedzera kwechigadzirwa kune yemushandisi nzvimbo chinhu.
Dambudziko riripo mune kodhi inoshandiswa pane masisitimu ane AMD processor (kvm-amd.ko module) uye haioneke pane Intel processors.
Kunze kwemaviri emashandisi-anonzwisisika madhijitari ane chekuita nekukanganisa kubata, ese akaomarara epasi-kodhi kodhi yekupa chaiyo diski, network kana GPU kuwana inogona kutumirwa munzvimbo yemushandisi.
Vatsvagiri mukuwedzera pakutsanangura dambudziko Ivo vakagadzirirawo inoshanda prototype yechisimba iyo inobvumidza kumhanyisa midzi yeganda kubva kunharaunda yevaenzi munzvimbo yekutambira pane system ine AMD Epyc 7351P processor uye neLinux 5.10 kernel.
Zvinoonekwa kuti uyu ndiye muenzi wekutanga kubata kusagadzikana muKVM hypervisor pachayo, isina hukama nemabhugi munzvimbo yemushandisi nzvimbo seQEMU. Iyo fix yakagamuchirwa mune kernel pakupera kwaKurume.
Finalmente kana iwe uchifarira kuziva zvakawanda nezvazvo nezve katsamba, unogona kutarisa ruzivo Mune inotevera chinongedzo.