Aikin Grasecurity ya buga cikakkun bayanai da nunin hanyar kai hari don sabon rauni (CVE-2021-26341) a cikin na'urori na AMD masu alaƙa da hasashe aiwatar da umarni bayan ayyukan gaba mara sharadi. Idan harin ya yi nasara, raunin yana ba da damar tantance abubuwan da ke cikin wuraren ƙwaƙwalwar ajiya na sabani. Misali, masu bincike sun shirya wani amfani wanda zai basu damar tantance tsarin adireshi da ketare hanyar kariya ta KASLR (kwayar ajiyar ƙwaƙwalwar kernel) ta aiwatar da lambar da ba ta da gata a cikin tsarin kernel na ePBF. Sauran yanayin harin ba za a iya kawar da su ba wanda zai iya haifar da zubar da abubuwan ƙwaƙwalwar kernel.
Rashin lahani yana ba ku damar ƙirƙirar yanayi a ƙarƙashin abin da na'ura mai sarrafawa, yayin aiwatar da kisa na farko, yana aiwatar da umarnin nan da nan bin umarnin tsalle a cikin ƙwaƙwalwar ajiya (SLS, Hasashen Layi madaidaiciya). Bugu da ƙari, irin wannan haɓakawa yana aiki ba kawai ga masu aikin tsalle-tsalle ba, har ma don umarnin da ke nuna tsalle-tsalle kai tsaye ba tare da sharadi ba, kamar JMP, RET da KIRA. Bayan umarnin tsalle mara ka'ida, ana iya sanya bayanan sabani waɗanda ba a yi niyya don aiwatarwa ba. Bayan kayyade cewa reshe bai ƙunshi aiwatar da umarni na gaba ba, mai sarrafa na'ura yana jujjuya jihar ne kawai kuma yayi watsi da aiwatar da hasashe, amma yanayin aiwatar da umarnin yana nan a cikin ma'ajin da aka raba kuma yana nan don bincike ta amfani da dabarun dawo da tashar ta gefe.
Kamar yadda aka yi amfani da raunin Specter-v1, harin yana buƙatar kasancewar wasu jerin umarni (na'urori) a cikin kwaya waɗanda ke haifar da kisa. Toshe rashin lahani a wannan yanayin ya zo ne don gano irin waɗannan na'urori a cikin lambar da ƙara ƙarin umarni gare su waɗanda ke toshe kisa mai ƙima. Hakanan ana iya ƙirƙira sharuɗɗan kisa ta hanyar shirye-shirye marasa gata da ke gudana a cikin na'ura mai kama da eBPF. Don toshe ikon gina na'urori ta amfani da eBPF, ana ba da shawarar a kashe damar mara gata zuwa eBPF a cikin tsarin ("sysctl -w kernel.unprivileged_bpf_disabled=1").
Rashin lahani yana rinjayar masu sarrafawa dangane da Zen1 da Zen2 microarchitecture, gami da ƙarni na farko da na biyu na AMD EPYC da AMD Ryzen Threadripper na'urori masu sarrafawa, da AMD Ryzen 2000/3000/4000/5000, AMD Athlon, AMD Athlon X, AMD Ryzen Threadripper. PRO da APU jerin na'urori masu sarrafawa A. Don toshe hasashe aiwatar da umarni, ana ba da shawarar kiran INT3 ko umarnin LFENCE bayan ayyukan reshe (RET, JMP, CALL).
source: budenet.ru