Abaphandi abavela kwiqela leProjekthi yeGoogle yeZero babhengeze kwiintsuku ezimbalwa ezidlulileyo kwiposti yebhlog bachonge ubuthathaka (CVE-2021-29657) kwi-KVM hypervisor (umthombo ovulekileyo we-Linux-based hypervisor exhasa i-hardware-acceleated virtualization kwi-x86, ARM, PowerPC, kunye ne-S/390) leyo ikuvumela ukuba unqande ukwahlulwa kwenkqubo yeendwendwe kwaye uqhube ikhowudi yakho kwicala lokusingqongileyo.
Le mpapasho ikhankanya ukuba ingxaki ibonisa ukusuka kwi-Linux kernel 5.10-rc1 ukuya kwi-v5.12-rc6, Oko kukuthi, igubungela kuphela ii-cores 5.10 kunye ne-5.11 (amasebe amaninzi azinzileyo osasazo akazange achatshazelwe ngumba). Ingxaki ikhoyo kwindlela ye-nested_svm_vmrun, ephunyezwa kusetyenziswa i-AMD SVM (uKhuseleko loMatshini oVimbayo) kunye nokuvumela ukusungulwa kwendlwane kweenkqubo zeendwendwe.
Kule post yebhlog, ndichaza ukuba sesichengeni kwikhowudi ye-KVM ethe ngqo ye-AMD kwaye ndixoxe ngendlela le bug inokujika ngayo ibe kukuphuncuka komatshini ogqibeleleyo. Ngokokwazi kwam, esi sibhalo sokuqala sikawonke-wonke sekhefu le-KVM lokundwendwela esingaxhomekekanga kwiibugs kumacandelo esithuba somsebenzisi njenge-QEMU.
I-bug ekuxoxwe ngayo yabelwa i-CVE-2021-29657, ichaphazela iinguqulelo ze-kernel v5.10-rc1 ukuya kwi-v5.12-rc6 kwaye yafakwa ekupheleni kuka-Matshi ka-2021. Njengoko i-bug yaqala ukusetyenziswa kwi-v5.10 kwaye yafunyanwa malunga neenyanga ezi-5 kamva, uninzi lwehlabathi lokwenyani lokuthunyelwa kwe-KVM akufuneki luchaphazeleke. Ndisacinga ukuba lo mba unomdla wokufunda kwimeko yomsebenzi ofunekayo ukuze kwakhiwe i-home-to-host ezinzileyo yokubalekela i-KVM kwaye ndiyathemba ukuba eli nqaku linokomeleza imeko yokuba i-hypervisor compromises ayizongxaki nje zethiyori.
Abaphandi bakhankanya ukuba ukuphunyezwa ngokuchanekileyo kwalo msebenzi, i-hypervisor kufuneka ithintele yonke imiyalelo ye-SVM yenziwe kwiinkqubo zeendwendwe, xelisa ukuziphatha kwayo kwaye ungqamanise urhulumente kunye ne-hardware, ngumsebenzi onzima kakhulu.
Emva kokuhlalutya ukuphunyezwa kwe-KVM ecetywayo, abaphandis ifumene imposiso enengqiqo evumela umxholo we-MSR Umamkeli (Imodeli eKhethekileyo yoBhaliso) ukuphenjelelwa kwinkqubo yeendwendwe, enokusetyenziselwa ukuphumeza ikhowudi kwinqanaba lenginginya.
Ngokukodwa, ukwenza umsebenzi we-VMRUN osuka kwinkqubo yeendwendwe kwinqanaba lesibini lokuzalela (i-L2 iqaliswe ukusuka kolunye undwendwe) ikhokelela kwifowuni yesibini ukuya kwi-nested_svm_vmrun kwaye yonakalise i-svm->nested.hsave structure, ethelelanayo ngedatha esuka kwi-vmcb ye-L2 inkqubo yeendwendwe.
Ngenxa yoko, kuvela imeko apho kwinqanaba leendwendwe L2 kunokwenzeka ukukhulula imemori kwi-svm->nested.msrpm isakhiwo, esigcina i-MSR bit, nangona iqhubeka isetyenziswa, kwaye ifikelele kwi-MSR yomninimzi. imekobume .
Oku kuthetha, umzekelo, ukuba inkumbulo yondwendwe inokuhlolwa ngokulahla imemori eyabelwe inkqubo yayo yendawo yomsebenzisi okanye imida yemithombo yexesha le-CPU kunye nenkumbulo inokunyanzeliswa ngokulula.
Ukongeza, i-KVM inokukhulula uninzi lomsebenzi onxulumene nokulinganisa isixhobo kwindawo yomsebenzisi.
Ingxaki ikhona kwikhowudi esetyenziswa kwiinkqubo ezineeprosesa ze-AMD (imodyuli ye-kvm-amd.ko) kwaye ayibonakali kwi-Intel processors.
Ngaphandle kwezixhobo ezimbalwa ezisebenzayo ezihambelana nokuphazamiseka kokuphatha, yonke ikhowudi yezinga eliphantsi lokubonelela ngediski ebonakalayo, inethiwekhi, okanye ukufikelela kwi-GPU inokuphunyezwa kwindawo yomsebenzisi.
Abaphandi, ngaphezu kokuchaza ingxaki Baye balungiselela iprototype esebenzayo ye-exploit ekuvumela ukuba usebenzise iqokobhe lengcambu ukusuka kwindawo yeendwendwe kwindawo yomkhosi kwinkqubo ene-AMD Epyc 7351P iprosesa kunye neLinux 5.10 kernel.
Kuyaqapheleka ukuba olu lubuthathaka lokuqala kwindwendwe-kwinginginya kwi-hypervisor ye-KVM ngokwayo, ayinxulumananga nebugs kumacandelo esithuba somsebenzisi njenge QEMU. Ukulungiswa kwamkelwa kwi-kernel ekupheleni kukaMatshi.
Gqibela ukuba unomdla wokwazi okungakumbi ngayo malunga nenqaku, unokujonga iinkcukacha Kule khonkco ilandelayo.