Abaphenyi beqembu le-Google Project Zero bethule ezinsukwini ezimbalwa ezedlule kokuthunyelwe kubhulogi lokho bathole ukuba sengozini (i-CVE-2021-29657) ku-KVM hypervisor (umthombo ovulekile we-Linux-based hypervisor esekela i-hardware esheshayo ebonakalayo ku-x86, ARM, PowerPC, naku-S / 390) lokho ikuvumela ukuthi ugweme ukuhlukaniswa kohlelo lwezivakashi bese usebenzisa ikhodi yakho ngasohlangothini lwemvelo ye-Host.
Okuthunyelwe kushiwo ukuthi inkinga ibonisa kusuka ku-Linux kernel 5.10-rc1 kuya ku-v5.12-rc6, okungukuthi, ihlanganisa kuphela izinhlamvu 5.10 no-5.11 (Iningi lamagatsha azinzile okusatshalaliswa awathintekanga kule nkinga.) Inkinga ikhona kumshini nested_svm_vmrun, owenziwe kusetshenziswa isandiso se-AMD SVM (Secure Virtual Machine) futhi kuvumela ukwethulwa kwesidleke kwezinhlelo zezivakashi.
Kulokhu okuthunyelwe kubhulogi, ngichaza ukuba sengozini kwekhodi ekhethekile ye-KVM ye-AMD futhi ngixoxa ngokuthi le bug ingajika kanjani ibe ngumshini ophelele wokuphunyuka. Ngokwazi kwami, lokhu ukubhala kokuqala komphakathi kokuphuma kwe-KVM yezivakashi nokusingathwa okunganciki kwizimbungulu kuzinto zesikhala somsebenzisi njenge-QEMU.
Isiphazamisi okukhulunywe ngaso sabelwa i-CVE-2021-29657, sithinta izinguqulo ze-kernel v5.10-rc1 kuya ku-v5.12-rc6, saze samakwa ngasekupheleni kukaMashi 2021. Njengoba i-bug yaqala ukuxhashazwa ku-v5.10 futhi yatholwa cishe ezinyangeni ezinhlanu kamuva, ukuthunyelwa kwe-KVM emhlabeni wangempela akufanele kuthinteke. Ngisacabanga ukuthi inkinga ucwaningo lwamacala oluthokozisayo emsebenzini oludingekayo ukwakha ukuphunyuka okuzinzile kwabavakashi ukusingathwa kwe-KVM futhi ngiyethemba ukuthi le ndatshana ingenza icala lokuthi ukuyekethisa kwe-hypervisor akuyona nje inkinga yezinkolelo-mbono.
Abaphenyi bakusho lokho ekusetshenzisweni okulungile kwalokhu kusebenza, i-hypervisor kufanele inqamule yonke imiyalo ye-SVM sebenzisa izinhlelo zezivakashi, lingisa ukusebenza kwalo futhi uvumelanise izwe ne-hardware, okuwumsebenzi onzima impela.
Ngemuva kokuhlaziya ukusetshenziswa kwe-KVM okuhlongozwayo, abacwaningiihlangabezane nephutha lomqondo elivumela okuqukethwe kwe-MSR (Ukubhaliswa okuqondene nemodeli) komgcini ithonywe kusuka ohlelweni lwezivakashi, engasetshenziselwa ukwenza ikhodi ezingeni le-Host.
Ikakhulu, ukwenza umsebenzi we-VMRUN kusuka kusihambeli sesibili sesidleke (i-L2 esungulwe kwesinye isivakashi) kuholela ocingweni lwesibili ku-nested_svm_vmrun futhi konakalise isakhiwo se-svm-> nested.hsave, esimbozwe ngemininingwane evela ku-vmcb kusuka ohlelweni lwezivakashi lwe-L2 .
Ngenxa yalokhu, kuvela isimo lapho ezingeni lezivakashi le-L2 lapho kungenzeka khona ukukhulula imemori esakhiweni se-svm-> nested.msrpm, esigcina i-MSR bit, noma iqhubeka nokusetshenziswa, nokufinyelela i-MSR yomgcini imvelo.
Lokhu kusho, ngokwesibonelo, ukuthi inkumbulo yesivakashi ingahlolwa ngokulahla inkumbulo eyabelwe yenqubo yesikhala sayo somsebenzisi noma ukuthi imingcele yezinsizakusebenza yesikhathi se-CPU nememori kungaphoqelelwa kalula.
Ngaphezu kwalokho, i-KVM ingathumela iningi lomsebenzi ohlobene nokulingiswa kwedivayisi kungxenye yesikhala somsebenzisi.
Inkinga ikhona kukhodi esetshenziswa ezinhlelweni ezinama-processor we-AMD (module kvm-amd.ko) futhi ayiveli kuma-processor we-Intel.
Ngaphandle kwamadivayisi azwelayo ekusebenzeni abhekene nokusingathwa kokuphazamiseka, yonke ikhodi eyindida esezingeni eliphansi yokunikeza nge-disk ebonakalayo, inethiwekhi, noma ukufinyelela kwe-GPU ingafakwa esikhaleni somsebenzisi.
Abaphenyi ngaphezu kokuchaza inkinga Baphinde balungiselela uhlobo olusebenzayo lokuxhashazwa okuvumela ukusebenzisa igobolondo lempande kusuka endaweni yezivakashi endaweni yokusingathwa kusistimu ene-processor ye-AMD Epyc 7351P kanye ne-Linux 5.10 kernel.
Kuyabonakala ukuthi lesi yisimenywa sokuqala ukusingatha ukuba sengozini ku-KVM hypervisor uqobo, olungahlobene nezimbungulu kuzinto zesikhala somsebenzisi njenge-QEMU. Ukulungiswa kwamukelwa ku-kernel ekupheleni kukaMashi.
Okokugcina uma unesifiso sokwazi okwengeziwe ngakho mayelana nenothi, ungabheka imininingwane Kulesi sixhumanisi esilandelayo.