一、漏洞信息
漏洞编号：CVE-2024-26992
漏洞归属组件：kernel
漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0,6.6.0
CVSS V2.0分值：
BaseScore：0.0 Low
Vector：CVSS：2.0/
漏洞简述：
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/pmu: Disable support for adaptive PEBSDrop support for virtualizing adaptive PEBS, as KVM s implementation isarchitecturally broken without an obvious/easy path forward, and becauseexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leakhost kernel addresses to the guest.Bug #1 is that KVM doesn t account for the upper 32 bits ofIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.gfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()stores local variables as u8s and truncates the upper bits too, etc.Bug #2 is that, because KVM always sets precise_ip to a non-zero valuefor PEBS events, perf will always generate an adaptive record, even ifthe guest requested a basic record. Note, KVM will also enable adaptivePEBS in individual counter, even if adaptive PEBS isn t exposed to theguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,i.e. the guest will only ever see Basic records.Bug #3 is in perf. intel_pmu_disable_fixed() doesn t clear the upperbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, andintel_pmu_enable_fixed() effectively doesn t clear ICL_FIXED_0_ADAPTIVEeither. I.e. perf always enables ADAPTIVE counters, regardless of whatKVM requests.Bug #4 is that adaptive PEBS might effectively bypass event filters setby the host, as Updated Memory Access Info Group records informationthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.Bug #5 is that KVM doesn t ensure LBR MSRs hold guest values (or at leastzeros) when entering a vCPU with adaptive PEBS, which allows the guestto read host LBRs, i.e. host RIPs/addresses, by enabling LBR Entries records.Disable adaptive PEBS support as an immediate fix due to the severity ofthe LBR leak in particular, and because fixing all of the bugs will benon-trivial, e.g. not suitable for backporting to stable kernels.Note! This will break live migration, but trying to make KVM play nicewith live migration would be quite complicated, wouldn t be guaranteed towork (i.e. KVM might still kill/confuse the guest), and it s not clearthat there are any publicly available VMMs that support adaptive PEBS,let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn tsupport PEBS in any capacity.
漏洞公开时间：2024-05-01 14:15:16
漏洞创建时间：2024-05-01 15:09:51
漏洞详情参考链接：
https://nvd.nist.gov/vuln/detail/CVE-2024-26992

漏洞分析指导链接：
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
漏洞数据来源:
openBrain开源漏洞感知系统
漏洞补丁信息：

二、漏洞分析结构反馈
影响性分析说明：
Reserved.
openEuler评分：
4.0
Vector：CVSS：3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N
受影响版本排查(受影响/不受影响)：
1.openEuler-20.03-LTS-SP1(4.19.90):不受影响
2.openEuler-20.03-LTS-SP4(4.19.90):不受影响
3.openEuler-22.03-LTS(5.10.0):不受影响
4.openEuler-22.03-LTS-SP1(5.10.0):不受影响
5.openEuler-22.03-LTS-SP2(5.10.0):不受影响
6.openEuler-22.03-LTS-SP3(5.10.0):不受影响
7.openEuler-22.03-LTS-SP4(5.10.0):不受影响
8.master(6.1.0):不受影响
9.openEuler-22.03-LTS-Next(5.10.0):不受影响
10.openEuler-24.03-LTS(6.6.0):不受影响
11.openEuler-24.03-LTS-Next(6.6.0):不受影响

修复是否涉及abi变化(是/否)：
1.openEuler-20.03-LTS-SP1(4.19.90):否
2.openEuler-20.03-LTS-SP4(4.19.90):否
3.openEuler-22.03-LTS(5.10.0):否
4.openEuler-22.03-LTS-SP1(5.10.0):否
5.openEuler-22.03-LTS-SP2(5.10.0):否
6.openEuler-22.03-LTS-SP3(5.10.0):否
7.master(6.1.0):否
8.openEuler-22.03-LTS-Next(5.10.0):否
9.openEuler-24.03-LTS(6.6.0):否
10.openEuler-24.03-LTS-Next(6.6.0):否
11.openEuler-22.03-LTS-SP4(5.10.0):否