Ƙungiyar masu bincike daga ETH Zurich sun gano wani sabon hari a kan hanyar aiwatar da kisa ta kai tsaye a cikin CPU, wanda ya sa ya yiwu a cire bayanai daga ƙwaƙwalwar kernel ko shirya wani hari a kan tsarin mai watsa shiri daga na'urori masu mahimmanci. Abubuwan raunin suna da suna Retbleed (CVE-2022-29900, CVE-2022-29901) kuma suna kusa da yanayi zuwa hare-haren Specter-v2. Bambancin ya zo ne ga ƙungiyar aiwatar da ƙididdiga ta ƙididdigewa lokacin aiwatar da umarnin "ret" (dawo), wanda ke ɗaukar adireshin don tsalle daga tari, maimakon tsalle-tsalle kai tsaye ta amfani da umarnin "jmp", yana loda adireshin daga. memory ko wani CPU rajista.
Mai kai hari zai iya ƙirƙirar yanayi don hasashen miƙa mulki ba daidai ba kuma ya tsara ƙayyadaddun ƙayyadaddun ƙayyadaddun canji zuwa toshe lambar da ba a tanadar da dabarun aiwatar da shirin ba. A ƙarshe, mai sarrafa na'ura zai ƙayyade cewa tsinkayar reshe bai dace ba kuma zai mayar da aikin zuwa matsayinsa na asali, amma bayanan da aka sarrafa yayin aiwatar da hasashe za su ƙare a cikin cache da microarchitectural buffers. Idan toshe da aka yi kuskure ya sami damar ƙwaƙwalwar ajiya, to, aiwatar da hasashe zai kai ga adana bayanan da aka karanta daga ƙwaƙwalwar ajiya a cikin cache ɗin da aka raba.
Don tantance bayanan da suka rage a cikin ma'ajin bayan ayyukan hasashe, maharin na iya amfani da dabarun tasha na gefe don tantance sauran bayanan, kamar nazarin canje-canjen lokacin samun damar zuwa cache da bayanan da ba a ɓoye ba. Don fitar da bayanai da gangan daga wurare a wani matakin gata (misali, daga ƙwaƙwalwar kernel), ana amfani da "na'urori" - jerin umarnin da ke cikin kernel waɗanda suka dace da ƙima don karanta bayanai daga ƙwaƙwalwar ajiya dangane da yanayin waje wanda zai iya rinjayar su. maharin.
Don kare kai daga hare-haren ajin Specter na yau da kullun waɗanda ke amfani da umarnin tsalle-tsalle da kaikaice, yawancin tsarin aiki suna amfani da dabarar “retpoline”, wacce ta dogara kan maye gurbin ayyukan tsalle kai tsaye tare da umarnin “ret”, wanda masu sarrafawa ke amfani da naúrar tsinkayar tsinkayar jihar. rashin amfani da toshe tsinkayar reshe. Lokacin da aka gabatar da retpoline a cikin 2018, an yi imanin cewa ma'anar adireshin Specter-kamar ba su da amfani ga reshe mai hasashe ta amfani da umarnin "ret".
Masu binciken da suka haɓaka hanyar harin Retbleed sun nuna yuwuwar ƙirƙirar yanayin microarchitectural don ƙaddamar da sauye-sauye ta hanyar amfani da umarnin "ret" da kuma buga kayan aikin da aka shirya don gano jerin umarnin (na'urori) waɗanda suka dace don amfani da rauni a cikin kwaya ta Linux, wanda irin wadannan yanayi suke bayyana kansu.
A yayin binciken, an shirya amfani da aiki wanda ke ba da izini, akan tsarin tare da Intel CPUs, don fitar da bayanan sabani daga ƙwaƙwalwar kernel daga tsari mara gata a sararin mai amfani a cikin saurin 219 bytes a sakan daya da 98% daidaito. A kan na'urori masu sarrafawa na AMD, ingancin cin gajiyar ya fi girma - ƙimar ɗigon ruwa shine 3.9 KB a sakan daya. A matsayin misali mai amfani, muna nuna yadda ake amfani da abin da aka tsara don tantance abubuwan da ke cikin fayil ɗin /etc/shadow. A kan tsarin tare da Intel CPUs, an kai harin don tantance tushen kalmar sirrin zanta a cikin mintuna 28, kuma akan tsarin tare da AMD CPUs - a cikin mintuna 6.
An tabbatar da harin ga tsararraki 6-8 na na'urori masu sarrafa Intel waɗanda aka saki kafin Q3 2019 (ciki har da Skylake), da na'urori na AMD dangane da Zen 1, Zen 1+, da Zen 2 microarchitectures waɗanda aka saki kafin Q2021 3. A cikin sabbin samfura irin su AMD ZenXNUMX da Intel Alder Lake, da kuma a cikin masu sarrafa ARM, ana toshe matsalar ta hanyoyin kariya da ake da su. Misali, yin amfani da umarni na IBRS (Reshen Ƙuntataccen Hasashen Kai tsaye) yana taimakawa kariya daga hare-hare.
An shirya saitin canje-canje don Linux kernel da Xen hypervisor, wanda zai toshe matsalar a cikin software akan tsoffin CPUs. Faci da aka tsara don kernel Linux yana canza fayiloli 68, yana ƙara layin 1783, kuma yana share layukan 387. Abin baƙin ciki shine, kariyar tana haifar da ƙima mai mahimmanci - a cikin rubutun da aka gudanar akan masu sarrafa AMD da Intel, an kiyasta raguwar aikin daga 14% zuwa 39%. Ya fi dacewa a yi amfani da kariya dangane da umarnin IBRS, ana samun su a cikin sabbin ƙarni na CPUs na Intel kuma ana goyan bayan farawa da Linux kernel 4.19.
A kan na'urori na Intel, maye gurbin adireshi don tsalle-tsalle na kai tsaye yana yin godiya ga fasalin da ke bayyana lokacin da ambaliya ta faru ta ƙananan iyaka (ƙarƙasa) a cikin Return Stack Buffer. Lokacin da irin waɗannan yanayi suka faru, koyarwar “ret” ta fara amfani da dabarun zaɓin adireshin kama da wanda aka yi amfani da shi don tsalle-tsalle na yau da kullun. An sami wurare sama da dubu a cikin kernel na Linux waɗanda ke haifar da yanayi don fara irin wannan koma baya kuma ana samun dama ta hanyar kiran tsarin.
A kan na'urori na AMD, ana aiwatar da kisa mai ƙima na umarnin "ret" ba tare da la'akari da takamaiman buffer (Maida Address Stack) kuma sashin tsinkayar reshe yana ɗaukar umarnin "ret" ba azaman dawowar sarrafawa ba, amma azaman reshe kai tsaye. , kuma, bisa ga haka, yana amfani da bayanan don tsinkayar canjin kai tsaye. A ƙarƙashin waɗannan sharuɗɗan, kusan duk wani aiki na "ret" da ake iya kaiwa ta hanyar kiran tsarin ana iya amfani da shi.
Bugu da ƙari, an kuma gano wani batu a cikin AMD CPUs (CVE-2022-23825, Rudani Nau'in Reshe) da ke da alaƙa da aiwatar da rassa na ƙagagge - yanayi don tsinkayar reshe na iya faruwa ko da ba tare da umarnin reshe da ake buƙata ba, wanda ke ba da damar yin tasiri ga buffer hasashen reshe. ba tare da umarnin "ret" ba. Wannan fasalin yana rikitar da aiwatar da kariya sosai kuma yana buƙatar ƙarin tsaftacewa mai aiki na buffer hasashen reshe. Ƙara cikakken kariya ga kwaya ana tsammanin zai ƙara sama da kashi 209%.
source: budenet.ru