In the Linux kernel, the following vulnerability has been resolved: KVM:
x86/pmu: Disable support for adaptive PEBS Drop support for virtualizing
adaptive PEBS, as KVM’s implementation is architecturally broken without an
obvious/easy path forward, and because exposing adaptive PEBS can leak host
LBRs to the guest, i.e. can leak host kernel addresses to the guest. Bug #1
is that KVM doesn’t account for the upper 32 bits of IA32_FIXED_CTR_CTRL
when (re)programming fixed counters, e.g fixed_ctrl_field() drops the upper
bits, reprogram_fixed_counters() stores local variables as u8s and
truncates the upper bits too, etc. Bug #2 is that, because KVM always
sets precise_ip to a non-zero value for PEBS events, perf will always
generate an adaptive record, even if the guest requested a basic record.
Note, KVM will also enable adaptive PEBS in individual counter, even if
adaptive PEBS isn’t exposed to the guest, but this is benign as
MSR_PEBS_DATA_CFG is guaranteed to be zero, i.e. the guest will only ever
see Basic records. Bug #3 is in perf. intel_pmu_disable_fixed() doesn’t
clear the upper bits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, and
intel_pmu_enable_fixed() effectively doesn’t clear ICL_FIXED_0_ADAPTIVE
either. I.e. perf always enables ADAPTIVE counters, regardless of what
KVM requests. Bug #4 is that adaptive PEBS might effectively bypass event
filters set by the host, as “Updated Memory Access Info Group” records
information that might be disallowed by userspace via
KVM_SET_PMU_EVENT_FILTER. Bug #5 is that KVM doesn’t ensure LBR MSRs hold
guest values (or at least zeros) when entering a vCPU with adaptive PEBS,
which allows the guest to read host LBRs, i.e. host RIPs/addresses, by
enabling “LBR Entries” records. Disable adaptive PEBS support as an
immediate fix due to the severity of the LBR leak in particular, and
because fixing all of the bugs will be non-trivial, e.g. not suitable for
backporting to stable kernels. Note! This will break live migration, but
trying to make KVM play nice with live migration would be quite
complicated, wouldn’t be guaranteed to work (i.e. KVM might still
kill/confuse the guest), and it’s not clear that there are any publicly
available VMMs that support adaptive PEBS, let alone live migrate VMs that
support adaptive PEBS, e.g. QEMU doesn’t support PEBS in any capacity.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 24.04 | noarch | linux | < 6.8.0-38.38 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-aws | < 6.8.0-1011.12 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux-azure | < 6.8.0-1010.10 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure-6.5 | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux-gcp | < 6.8.0-1010.11 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-gcp-6.5 | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux-gke | < 6.8.0-1006.9 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-ibm | < 6.8.0-1008.8 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-intel | < 6.8.0-1007.14 | UNKNOWN |
git.kernel.org/linus/9e985cbf2942a1bb8fcef9adc2a17d90fd7ca8ee (6.9-rc5)
git.kernel.org/stable/c/037e48ceccf163899374b601afb6ae8d0bf1d2ac
git.kernel.org/stable/c/0fb74c00d140a66128afc0003785dcc57e69d312
git.kernel.org/stable/c/7a7650b3ac23e5fc8c990f00e94f787dc84e3175
git.kernel.org/stable/c/9e985cbf2942a1bb8fcef9adc2a17d90fd7ca8ee
launchpad.net/bugs/cve/CVE-2024-26992
nvd.nist.gov/vuln/detail/CVE-2024-26992
security-tracker.debian.org/tracker/CVE-2024-26992
ubuntu.com/security/notices/USN-6893-1
ubuntu.com/security/notices/USN-6893-2
ubuntu.com/security/notices/USN-6893-3
ubuntu.com/security/notices/USN-6918-1
www.cve.org/CVERecord?id=CVE-2024-26992