In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero valuefor PEBS events, perf will _always_ generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual *counter*, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf _always_ enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS *might* effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
