Iqela labaphandi abavela kwi-ETH Zurich lichonge uhlaselo olutsha kwindlela yokuqikelela ukuphunyezwa kweenguqu ezingathanga ngqo kwi-CPU, eyenza kube lula ukukhupha ulwazi kwimemori ye-kernel okanye uququzelele ukuhlaselwa kwenkqubo yokusingatha kumatshini obonakalayo. Ubuthathaka bubizwa ngokuba yi-codenamed Retbleed (CVE-2022-29900, CVE-2022-29901) kwaye isondele kwindalo kuhlaselo lweSpecter-v2. Umahluko wehla kumbutho wokwenziwa okuqikelelwayo kwekhowudi engafanelekanga xa kusetyenzwa “ret” (return) umyalelo, olanda idilesi ukutsiba kwistakhi, endaweni yokutsiba ngokungathanga ngqo usebenzisa “jmp” umyalelo, ulayisha idilesi ukusuka imemori okanye irejista yeCPU.
Umhlaseli unokudala iimeko zokuxela kwangaphambili kwenguqu engalunganga kwaye aququzelele inguqu ejoliswe kuyo, eqikelelwayo kwibhloko yekhowudi engabonelelwanga yinkqubo yokwenziwa kwenkqubo. Ekugqibeleni, iprosesa iya kugqiba ukuba uqikelelo lwesebe aluzange luthethelele kwaye luza kuphinda lubuyisele umva umsebenzi kwimeko yalo yokuqala, kodwa idatha eqhutywe ngexesha lokwenziwa kwentelekelelo iya kuphelela kwi-cache kunye ne-microarchitectural buffers. Ukuba ibhloko eyenziwe ngempazamo ifikelela kwimemori, ngoko ukuphunyezwa kwayo okuqikelelweyo kuya kukhokelela ekubeni idatha ifundwe kwimemori ifakwe kwi-cache ekwabelwana ngayo.
Ukumisela idatha eseleyo kwi-cache emva kwemisebenzi eqikelelwayo, umhlaseli unokusebenzisa iindlela ze-channel-channel ukumisela idatha eshiyekileyo, njengokuhlalutya utshintsho kumaxesha okufikelela kwi-cached kunye nedatha engabonakaliyo. Ukukhupha ulwazi ngenjongo kwiindawo ezikwelinye inqanaba lelungelo (umzekelo, ukusuka kwimemori ye-kernel), "izixhobo zokulawula" zisetyenziswa - ulandelelwano lwemiyalelo ekhoyo kwi-kernel elungele ukufunda ngokuqikelelwa idatha kwimemori ngokuxhomekeke kwiimeko zangaphandle ezinokuphenjelelwa umhlaseli.
Ukukhusela kuhlaselo lweklasi yeSpecter yakudala esebenzisa imiyalelo yokutsiba enemiqathango kunye nengathanga ngqo, uninzi lweenkqubo zokusebenza zisebenzisa ubuchule be-“retpoline”, obusekwe ekuthatheni indawo yemisebenzi yokutsiba engathanga ngqo ngomyalelo othi “ret”, apho abaqhubekekisi basebenzise iyunithi eyahlukileyo yoqikelelo lwemeko. ungasebenzisi ibhloko yokuqikelela isebe. Xa i-retpoline yaziswa ngo-2018, kwakukholelwa ukuba i-Specter-efana nedilesi ye-adresi yayingasebenzi kwi-branching eqikelelwayo kusetyenziswa umyalelo "wokubuyisela".
Abaphandi abaphuhlise indlela yokuhlasela ye-Retbleed babonise ukuba nokwenzeka kokwenza iimeko ze-microarchitectural zokuqalisa inguqu eqikelelwayo usebenzisa i-"ret" yomyalelo kwaye bapapasha i-toolkit esele yenziwe ukuchonga ulandelelwano lwemiyalelo (izixhobo) ezifanelekileyo zokuxhaphaza ubungozi kwi-Linux kernel. , apho iimeko ezinjalo zivela khona.
Ngethuba lophando, ukuxhaphazwa okusebenzayo kulungiselelwe okuvumela, kwiinkqubo ezine-Intel CPUs, ukukhupha idatha engafanelekanga kwimemori ye-kernel ukusuka kwinkqubo engafanelekanga kwindawo yomsebenzisi ngesantya se-219 bytes ngesekhondi kunye ne-98% ngokuchanekileyo. Kwiiprosesa ze-AMD, ukusebenza kakuhle kwe-exploit kuphezulu kakhulu-izinga lokuvuza yi-3.9 KB ngesekhondi. Njengomzekelo osebenzayo, sibonisa indlela yokusebenzisa i-exploit ecetywayo ukumisela imixholo yefayile /etc/shadow. Kwiinkqubo ezine-Intel CPUs, uhlaselo lokufumanisa i-hash yegama eliyimfihlo lomsebenzisi lwenziwa kwimizuzu engama-28, kwaye kwiinkqubo ezine-AMD CPUs - kwimizuzu emi-6.
Uhlaselo luqinisekisiwe kwizizukulwana ze-6-8 ze-Intel processors eziye zakhululwa ngaphambi kwe-Q3 2019 (kubandakanywa ne-Skylake), kunye neeprosesa ze-AMD ezisekwe kwi-Zen 1, i-Zen 1+ kunye ne-Zen 2 microarchitectures eyakhululwa ngaphambi kwe-Q2021 3. Kwiimodeli ezintsha zeprosesa ezifana ne-AMD ZenXNUMX kunye ne-Intel Alder Lake, kunye nakwi-ARM processors, ingxaki ivaliwe ngeendlela zokukhusela ezikhoyo. Umzekelo, ukusebenzisa imiyalelo ye-IBRS (Indirect Branch Restricted Speculation) inceda ukukhusela kuhlaselo.
Isethi yotshintsho ilungiselelwe i-Linux kernel kunye ne-Xen hypervisor, eya kuthintela ingxaki kwisofthiwe kwii-CPU ezindala. Isiqwenga esicetywayo se-Linux kernel sitshintsha iifayile ze-68, yongeza imigca ye-1783, kwaye icime imigca ye-387. Ngelishwa, ukukhuselwa kukhokelela kwiindleko eziphezulu kakhulu - kwiitekisi eziqhutywe kwi-AMD kunye ne-Intel processors, ukuhla kwentsebenzo kuqikelelwa kwi-14% ukuya kwi-39%. Kukhethwa ngakumbi ukusebenzisa ukhuseleko olusekwe kwimiyalelo ye-IBRS, ekhoyo kwizizukulwana ezitsha ze-Intel CPUs kwaye ixhaswa ngokuqala ngeLinux kernel 4.19.
Kwiiprosesa ze-Intel, ukutshintshwa kwedilesi yentelekelelo yokutsiba engathanga ngqo iqhutywa ngokubulela kuphawu oluvela xa ukuphuphuma kusenzeka ngomda osezantsi (ukuphuphuma ngaphantsi) kwi-Return Stack Buffer. Xa iimeko ezinjalo zisenzeka, umyalelo othi "ret" uqala ukusebenzisa indlela yokukhetha idilesi efana naleyo isetyenziselwa ukutsiba okuqhelekileyo okungathanga ngqo. Ngaphezulu kwewaka leendawo ezifunyenweyo kwi-Linux kernel eyenza iimeko zokuqalisa umva onjalo kwaye ziyafikeleleka ngeefowuni zenkqubo.
Kwiiprosesa ze-AMD, uzalisekiso oluqikelelwayo lomyalelo “wokuphinda” lwenziwa ngaphandle kokubhekisa kwisipakisho esithile (Isitaki sedilesi yokuBuyisa) kwaye iyunithi yoqikelelo yesebe iwuthathela ingqalelo umyalelo “wokubuyisela” hayi njengembuyekezo yolawulo, kodwa njengesebe elingathanga ngqo. , kwaye, ngokufanelekileyo, isebenzisa idatha yokuqikelela utshintsho olungathanga ngqo. Phantsi kwezi meko, phantse nawuphi na umsebenzi othi "ret" ofikelelekayo ngokufowuna kwesixokelelwano unokusetyenziswa.
Ukongeza, omnye umba uchongiwe kwii-AMD CPUs (CVE-2022-23825, Ukudideka koHlobo lweSebe) ezinxulumene nokuphunyezwa kwamasebe angeyonyani- iimeko zokuxela kwangaphambili kwesebe zinokwenzeka nangaphandle kwemiyalelo yesebe eyimfuneko, evumela ukuphembelela isithinteli sokuxela kwangaphambili kwesebe. ngaphandle komyalelo " ret". Olu phawu lwenza nzima kakhulu ukuphunyezwa kokhuseleko kwaye lufuna ukucocwa okusebenzayo ngakumbi kwesithinteli sengqikelelo yesebe. Ukongeza ukhuseleko olupheleleyo kwi-kernel kulindeleke ukuba inyuse i-overhead nge-209%.
umthombo: opennet.ru