CVE-2024-26992 – Linux Kernel Adaptive PEBS Vulnerability Fixed; Full Breakdown and Analysis
In the Linux kernel, a significant vulnerability, CVE-2024-26992, has recently been resolved that concerns the KVM (Kernel-based Virtual Machine) implementation for the x86 architecture. The vulnerability revolved around the adaptive Performance Monitoring Unit (PMU) PEBS (Precise Event-Based Sampling), which could lead to the leakage of host kernel addresses from the host to guest VMs. The resolution involves disabling support for adaptive PEBS in KVM, as the current implementation is architecturally broken and fixing it is deemed non-trivial.
This post will provide a comprehensive breakdown of the vulnerability, including detailed explanations of each of the five discovered bugs, the potential consequences, and possible fixes. We will also supply code snippets and links to the original references for further information.
There were five distinct bugs identified in the KVM implementation
- Bug #1: KVM does not account for the upper 32 bits of IA32_FIXED_CTR_CTRL when (re)programming fixed counters. In this case, fixed_ctrl_field() drops the upper bits, and reprogram_fixed_counters() truncates them as well. [[Reference]](https://www.kernel.org/doc/Documentation/x86/)
- Bug #2: KVM always sets precise_ip to a non-zero value for PEBS events. This means that perf will always generate an adaptive record, even if the guest requested a basic record. KVM will also enable adaptive PEBS in individual counters even if the adaptive PEBS is not exposed to the guest.
- Bug #3: In the Intel perf PMU implementation, intel_pmu_disable_fixed() and intel_pmu_enable_fixed() both fail to clear the upper bits of IA32_FIXED_CTR_CTRL, leaving ICL_FIXED__ADAPTIVE set, and therefore, perf always enables ADAPTIVE counters, regardless of what KVM requests.
- Bug #4: Adaptive PEBS might effectively bypass event filters set by the host, leading to potential information disclosure via records even if they are disallowed by userspace through KVM_SET_PMU_EVENT_FILTER.
- Bug #5: KVM does not ensure LBR (Last Branch Record) MSRs (Model-Specific Registers) hold guest values (or at least zeroes) when entering a vCPU with adaptive PEBS enabled. This enables the guest to read host LBRs (i.e. host RIPs/addresses) through "LBR Entries" records.
The Fix – Disable Adaptive PEBS
The immediate fix for this vulnerability is to disable adaptive PEBS support in KVM due to the LBR leak's severity and the non-trivial nature of fixing all of the bugs involved. This will prevent the leakage of host kernel addresses to guest VMs. However, this fix comes with some trade-offs, such as breaking live migration.
It is also worth noting that trying to make KVM compatible with live migration would be a complex process and might not guarantee seamless operation (e.g., KVM might still kill/confuse the guest). Furthermore, it is unclear whether any publicly available VMMs (Virtual Machine Monitors) support adaptive PEBS, let alone live migration of VMs with adaptive PEBS. For example, QEMU does not support PEBS in any capacity.
In conclusion, the recent Linux kernel vulnerability CVE-2024-26992 concerning adaptive PEBS in KVM has been fixed by disabling adaptive PEBS support. While this fix may have drawbacks such as breaking live migration, it effectively mitigates the LBR leakage risks and prevents the potential disclosure of host kernel addresses to guest VMs.
Timeline
Published on: 05/01/2024 06:15:16 UTC
Last modified on: 12/19/2024 08:51:55 UTC