An gano lahani guda biyu a cikin kwaya ta Linux waɗanda ke ba da damar tsarin eBPF don ƙetare kariyar harin Specter v4 (SSB, Speculative Store Bypass). Yin amfani da shirin BPF mara gata, maharin na iya ƙirƙirar yanayi don aiwatar da hasashe na wasu ayyuka da tantance abubuwan da ke cikin wuraren ƙwaƙwalwar kernel na sabani. Escort eBPF subsystems a cikin kernel sun sami damar yin amfani da samfurin samfur wanda ke nuna yuwuwar kai hare-hare a aikace. An gyara matsalolin ta hanyar faci (1, 2) wanda zai zama wani ɓangare na sabuntawar kwaya ta Linux na gaba. Har yanzu ba a sabunta rabawa ba (Debian, RHEL, SUSE, Arch, Fedora, Ubuntu).
Hanyar harin Specter 4 ta dogara ne akan maido da bayanan da suka zauna a cikin cache na processor bayan watsar da sakamakon hasashe na aiwatar da ayyuka yayin sarrafa musanya rubutu da karanta ayyukan ta amfani da adireshin kai tsaye. Lokacin da aikin karantawa ya biyo bayan aikin rubutawa (misali, mov [rbx + rcx], 0x0; mov rax, [rdx + rsi]), ana iya sanin kashe adireshi na karanta saboda irin ayyukan da ake yi (ana yin ayyukan karantawa. da yawa akai-akai kuma ana iya karantawa daga cache) kuma mai sarrafa na'ura na iya yin hasashen karantawa kafin rubutawa ba tare da jira a ƙididdige aikin da aka rubuta ba.
Idan, bayan ƙididdige kashewa, an gano mahadar wuraren ƙwaƙwalwar ajiya don rubuce-rubuce da karatu, mai sarrafawa kawai zai watsar da sakamakon karatun da aka riga aka samu kuma ya maimaita wannan aikin. Wannan fasalin yana ba da umarnin karantawa don samun damar tsohuwar ƙima a wasu adireshi yayin da aikin kantin bai ƙare ba tukuna. Bayan watsar da wani aikin hasashe da bai yi nasara ba, alamun aiwatar da shi yana ci gaba da kasancewa a cikin ma'ajiyar, bayan haka za'a iya amfani da ɗaya daga cikin hanyoyin tantance abubuwan da ke cikin cache ɗin bisa la'akari da canje-canjen lokacin samun damar cache kuma ba a adana bayanan ba don dawo da su. shi.
Rashin lahani na farko (CVE-2021-35477) yana faruwa ne ta hanyar aibi a cikin injin tabbatar da shirin BPF. Don kare kai daga harin Specter 4, mai tabbatarwa yana ƙara ƙarin umarni bayan ayyukan ajiya mai yuwuwar matsala zuwa ƙwaƙwalwar ajiya, yana adana ƙimar sifili don fitar da alamun aikin da ya gabata. Aikin rubuta sifili ya kamata ya kasance da sauri sosai kuma ya toshe aiwatar da hasashe, tunda ya dogara ne kawai da mai nuni zuwa firam ɗin tari na BPF. Amma a zahiri, ya zama mai yiwuwa don ƙirƙirar yanayi a ƙarƙashin abin da umarnin da ke haifar da kisa yana da lokacin da za a aiwatar da shi kafin aikin kantin sayar da kayayyaki.
Rashin lahani na biyu (CVE-2021-3455) yana da alaƙa da gaskiyar cewa lokacin da mai tabbatar da BPF ya gano ayyukan ajiyar ƙwaƙwalwar ajiya mai haɗari, ba a la'akari da wuraren da ba a buɗe ba na tarin BPF ba, aikin farko na rubuta wanda ba a kiyaye shi ba. . Wannan fasalin yana haifar da yuwuwar yin aikin karantawa mai ƙima, wanda ya dogara da yankin ƙwaƙwalwar da ba a buɗe ba, kafin aiwatar da umarnin kantin. Sabuwar ƙwaƙwalwar ajiya don tarin BPF ana keɓancewa ba tare da bincika abubuwan da ke cikin da aka keɓe ba, kuma akwai hanyar sarrafa abubuwan da ke cikin wurin ƙwaƙwalwar ajiya wanda za a keɓe shi zuwa ma'aunin BPF kafin shirin BPF ya fara.
source: budenet.ru