CVE-2024-26992

KVM: x86/pmu: Disable support for adaptive PEBS

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

KVM: x86/pmu: Disable support for adaptive PEBS

Drop support for virtualizing adaptive PEBS, as KVM's implementation is
architecturally broken without an obvious/easy path forward, and because
exposing adaptive PEBS can leak host LBRs to the guest, i.e. can leak
host kernel addresses to the guest.

Bug #1 is that KVM doesn't account for the upper 32 bits of
IA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.g
fixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()
stores local variables as u8s and truncates the upper bits too, etc.

Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero value
for PEBS events, perf will _always_ generate an adaptive record, even if
the guest requested a basic record. Note, KVM will also enable adaptive
PEBS in individual *counter*, even if adaptive PEBS isn't exposed to the
guest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,
i.e. the guest will only ever see Basic records.

Bug #3 is in perf. intel_pmu_disable_fixed() doesn't clear the upper
bits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, and
intel_pmu_enable_fixed() effectively doesn't clear ICL_FIXED_0_ADAPTIVE
either. I.e. perf _always_ enables ADAPTIVE counters, regardless of what
KVM requests.

Bug #4 is that adaptive PEBS *might* effectively bypass event filters set
by the host, as "Updated Memory Access Info Group" records information
that might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.

Bug #5 is that KVM doesn't ensure LBR MSRs hold guest values (or at least
zeros) when entering a vCPU with adaptive PEBS, which allows the guest
to read host LBRs, i.e. host RIPs/addresses, by enabling "LBR Entries"
records.

Disable adaptive PEBS support as an immediate fix due to the severity of
the LBR leak in particular, and because fixing all of the bugs will be
non-trivial, e.g. not suitable for backporting to stable kernels.

Note! This will break live migration, but trying to make KVM play nice
with live migration would be quite complicated, wouldn't be guaranteed to
work (i.e. KVM might still kill/confuse the guest), and it's not clear
that there are any publicly available VMMs that support adaptive PEBS,
let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn't
support PEBS in any capacity.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: x86/pmu: deshabilitar el soporte para PEBS adaptativos. Eliminar el soporte para virtualizar PEBS adaptativos, ya que la implementación de KVM tiene una arquitectura rota sin un camino obvio/fácil a seguir, y porque exponer PEBS adaptativos puede filtrar los LBR del host al huésped, es decir, puede filtrar las direcciones del kernel del host al huésped. El error número 1 es que KVM no tiene en cuenta los 32 bits superiores de IA32_FIXED_CTR_CTRL cuando (re)programa contadores fijos, por ejemplo, fix_ctrl_field() elimina los bits superiores, reprogram_fixed_counters() almacena variables locales como u8 y también trunca los bits superiores, etc. El error número 2 es que, debido a que KVM _siempre_ establece precision_ip en un valor distinto de cero para eventos PEBS, perf _siempre_ generará un registro adaptativo, incluso si el invitado solicitó un registro básico. Tenga en cuenta que KVM también habilitará PEBS adaptativo en *contador* individual, incluso si PEBS adaptativo no está expuesto al invitado, pero esto es benigno ya que se garantiza que MSR_PEBS_DATA_CFG será cero, es decir, el invitado solo verá registros básicos. El error número 3 está en rendimiento. intel_pmu_disable_fixed() tampoco borra los bits superiores, es decir, deja ICL_FIXED_0_ADAPTIVE configurado, e intel_pmu_enable_fixed() efectivamente tampoco borra ICL_FIXED_0_ADAPTIVE. Es decir, perf _siempre_ habilita contadores ADAPTIVOS, independientemente de lo que solicite KVM. El error número 4 es que los PEBS adaptables *podrían* omitir efectivamente los filtros de eventos establecidos por el host, ya que el "Grupo de información de acceso a memoria actualizado" registra información que podría no estar permitida por el espacio de usuario a través de KVM_SET_PMU_EVENT_FILTER. El error número 5 es que KVM no garantiza que los MSR LBR mantengan valores de invitado (o al menos ceros) al ingresar a una vCPU con PEBS adaptable, lo que permite al invitado leer los LBR del host, es decir, los RIP/direcciones del host, al habilitar las "Entradas LBR". registros. Deshabilite el soporte PEBS adaptable como solución inmediata debido a la gravedad de la fuga de LBR en particular, y porque corregir todos los errores no será trivial, por ejemplo, no es adecuado para realizar backporting a núcleos estables. ¡Nota! Esto interrumpirá la migración en vivo, pero tratar de hacer que KVM funcione bien con la migración en vivo sería bastante complicado, no se garantizaría que funcione (es decir, KVM aún podría matar/confundir al invitado) y no está claro si hay alguno disponible públicamente. Los VMM que admiten PEBS adaptables, y mucho menos migran en vivo las máquinas virtuales que admiten PEBS adaptables; por ejemplo, QEMU no admite PEBS de ninguna manera.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-05-01 CVE Published
2024-05-13 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (5)

URL	Tag	Source
https://git.kernel.org/stable/c/c59a1f106f5cd4843c097069ff1bb2ad72103a67	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/0fb74c00d140a66128afc0003785dcc57e69d312	2024-04-27
https://git.kernel.org/stable/c/037e48ceccf163899374b601afb6ae8d0bf1d2ac	2024-04-27
https://git.kernel.org/stable/c/7a7650b3ac23e5fc8c990f00e94f787dc84e3175	2024-04-27
https://git.kernel.org/stable/c/9e985cbf2942a1bb8fcef9adc2a17d90fd7ca8ee	2024-04-08

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.0 < 6.1.88 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.0 < 6.1.88"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.0 < 6.6.29 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.0 < 6.6.29"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.0 < 6.8.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.0 < 6.8.8"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.0 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.0 < 6.9"		en		Affected