Ukuba sengozini kwe-KVM kuvumela ukwenziwa kwekhodi ngaphandle kohlelo lwezivakashi kuma-processor we-AMD

Abaphenyi beqembu le-Google Project Zero bethule ezinsukwini ezimbalwa ezedlule kokuthunyelwe kubhulogi lokho bathole ukuba sengozini (i-CVE-2021-29657) ku-KVM hypervisor (umthombo ovulekile we-Linux-based hypervisor esekela i-hardware esheshayo ebonakalayo ku-x86, ARM, PowerPC, naku-S / 390) lokho ikuvumela ukuthi ugweme ukuhlukaniswa kohlelo lwezivakashi bese usebenzisa ikhodi yakho ngasohlangothini lwemvelo ye-Host.

Okuthunyelwe kushiwo ukuthi inkinga ibonisa kusuka ku-Linux kernel 5.10-rc1 kuya ku-v5.12-rc6, okungukuthi, ihlanganisa kuphela izinhlamvu 5.10 no-5.11 (Iningi lamagatsha azinzile okusatshalaliswa awathintekanga kule nkinga.) Inkinga ikhona kumshini nested_svm_vmrun, owenziwe kusetshenziswa isandiso se-AMD SVM (Secure Virtual Machine) futhi kuvumela ukwethulwa kwesidleke kwezinhlelo zezivakashi.

Kulokhu okuthunyelwe kubhulogi, ngichaza ukuba sengozini kwekhodi ekhethekile ye-KVM ye-AMD futhi ngixoxa ngokuthi le bug ingajika kanjani ibe ngumshini ophelele wokuphunyuka. Ngokwazi kwami, lokhu ukubhala kokuqala komphakathi kokuphuma kwe-KVM yezivakashi nokusingathwa okunganciki kwizimbungulu kuzinto zesikhala somsebenzisi njenge-QEMU.

Isiphazamisi okukhulunywe ngaso sabelwa i-CVE-2021-29657, sithinta izinguqulo ze-kernel v5.10-rc1 kuya ku-v5.12-rc6, saze samakwa ngasekupheleni kukaMashi 2021. Njengoba i-bug yaqala ukuxhashazwa ku-v5.10 futhi yatholwa cishe ezinyangeni ezinhlanu kamuva, ukuthunyelwa kwe-KVM emhlabeni wangempela akufanele kuthinteke. Ngisacabanga ukuthi inkinga ucwaningo lwamacala oluthokozisayo emsebenzini oludingekayo ukwakha ukuphunyuka okuzinzile kwabavakashi ukusingathwa kwe-KVM futhi ngiyethemba ukuthi le ndatshana ingenza icala lokuthi ukuyekethisa kwe-hypervisor akuyona nje inkinga yezinkolelo-mbono.

Abaphenyi bakusho lokho ekusetshenzisweni okulungile kwalokhu kusebenza, i-hypervisor kufanele inqamule yonke imiyalo ye-SVM sebenzisa izinhlelo zezivakashi, lingisa ukusebenza kwalo futhi uvumelanise izwe ne-hardware, okuwumsebenzi onzima impela.

Ngemuva kokuhlaziya ukusetshenziswa kwe-KVM okuhlongozwayo, abacwaningiihlangabezane nephutha lomqondo elivumela okuqukethwe kwe-MSR (Ukubhaliswa okuqondene nemodeli) komgcini ithonywe kusuka ohlelweni lwezivakashi, engasetshenziselwa ukwenza ikhodi ezingeni le-Host.

Ikakhulu, ukwenza umsebenzi we-VMRUN kusuka kusihambeli sesibili sesidleke (i-L2 esungulwe kwesinye isivakashi) kuholela ocingweni lwesibili ku-nested_svm_vmrun futhi konakalise isakhiwo se-svm-> nested.hsave, esimbozwe ngemininingwane evela ku-vmcb kusuka ohlelweni lwezivakashi lwe-L2 .

Ngenxa yalokhu, kuvela isimo lapho ezingeni lezivakashi le-L2 lapho kungenzeka khona ukukhulula imemori esakhiweni se-svm-> nested.msrpm, esigcina i-MSR bit, noma iqhubeka nokusetshenziswa, nokufinyelela i-MSR yomgcini imvelo.

Lokhu kusho, ngokwesibonelo, ukuthi inkumbulo yesivakashi ingahlolwa ngokulahla inkumbulo eyabelwe yenqubo yesikhala sayo somsebenzisi noma ukuthi imingcele yezinsizakusebenza yesikhathi se-CPU nememori kungaphoqelelwa kalula. 

Ngaphezu kwalokho, i-KVM ingathumela iningi lomsebenzi ohlobene nokulingiswa kwedivayisi kungxenye yesikhala somsebenzisi.

Inkinga ikhona kukhodi esetshenziswa ezinhlelweni ezinama-processor we-AMD (module kvm-amd.ko) futhi ayiveli kuma-processor we-Intel.

 Ngaphandle kwamadivayisi azwelayo ekusebenzeni abhekene nokusingathwa kokuphazamiseka, yonke ikhodi eyindida esezingeni eliphansi yokunikeza nge-disk ebonakalayo, inethiwekhi, noma ukufinyelela kwe-GPU ingafakwa esikhaleni somsebenzisi.  

Abaphenyi ngaphezu kokuchaza inkinga Baphinde balungiselela uhlobo olusebenzayo lokuxhashazwa okuvumela ukusebenzisa igobolondo lempande kusuka endaweni yezivakashi endaweni yokusingathwa kusistimu ene-processor ye-AMD Epyc 7351P kanye ne-Linux 5.10 kernel.

Kuyabonakala ukuthi lesi yisimenywa sokuqala ukusingatha ukuba sengozini ku-KVM hypervisor uqobo, olungahlobene nezimbungulu kuzinto zesikhala somsebenzisi njenge-QEMU. Ukulungiswa kwamukelwa ku-kernel ekupheleni kukaMashi.

Okokugcina uma unesifiso sokwazi okwengeziwe ngakho mayelana nenothi, ungabheka imininingwane Kulesi sixhumanisi esilandelayo.


Okuqukethwe yi-athikili kunamathela ezimisweni zethu ze izimiso zokuhlelela. Ukubika iphutha chofoza lapha.

Yiba ngowokuqala ukuphawula

Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.