Iqembu labacwaningi abavela kwa-ETH Zurich likhombe ukuhlasela okusha kwendlela yokuqagela yokwenziwa koshintsho olungaqondile ku-CPU, okwenza kube nokwenzeka ukukhipha imininingwane kumemori ye-kernel noma ukuhlela ukuhlaselwa kohlelo lokusingatha emishinini ebonakalayo. Ubungozi bubhalwe ngekhodi ethi Retbleed (CVE-2022-29900, CVE-2022-29901) futhi kusondele ngokwemvelo ekuhlaselweni kwe-Specter-v2. Umehluko wehlela ekuhleleni ukusetshenziswa okuqagelayo kwekhodi engafanele lapho kucutshungulwa umyalelo othi “ret” (return), olanda ikheli ukuze ligxume esitakini, esikhundleni sokweqa okungaqondile kusetshenziswa umyalo othi “jmp”, ukulayisha ikheli inkumbulo noma irejista ye-CPU.
Umhlaseli angadala izimo zokubikezela inguquko engalungile futhi ahlele uguquko oluqondiwe, oluqagelayo oluya kubhulokhi yekhodi enganikezwanga uhlelo olunengqondo lokusayinda. Ekugcineni, iphrosesa izonquma ukuthi ukubikezela kwegatsha akuzange kuthetheleleke futhi izobuyisela ukusebenza esimweni sayo sangempela, kodwa idatha ecutshungulwe ngesikhathi sokubulawa okucatshangelwayo izogcina igcinwe kunqolobane namabhafa ezakhiwo ezincane. Uma ibhulokhi ekhishwe ngephutha ifinyelela kumemori, ukwenza kwayo okuqagelayo kuzoholela ekutheni idatha efundwe kumemori ifakwe kunqolobane eyabiwe.
Ukuze unqume idatha esele kunqolobane ngemva kwemisebenzi yokuqagela, umhlaseli angasebenzisa amasu esiteshi eseceleni ukuze anqume idatha eyinsalela, njengokuhlaziya izinguquko ezikhathini zokufinyelela kudatha egcinwe kunqolobane nengagciniwe. Ukuze kukhishwe ulwazi ngamabomu ezindaweni ezikwelinye izinga lelungelo (ngokwesibonelo, kumemori ye-kernel), kusetshenziswa “amagajethi” - ukulandelana kwemiyalelo ekhona ku-kernel elungele ukufunda ngokuqagela idatha esenkumbulweni kuye ngezimo zangaphandle ezingathonywa umhlaseli.
Ukuze uvikeleke ekuhlaselweni kwesigaba sakudala se-Specter esebenzisa imiyalelo yokweqa enemibandela nengaqondile, amasistimu amaningi okusebenza asebenzisa indlela ye-“retpoline”, esekelwe ekushintsheni imisebenzi ye-retpoline engaqondile ngomyalo othi “ret”, lapho amaphrosesa asebenzisa iyunithi ehlukile yokubikezela isimo sesitaki. .ungasebenzisi ibhulokhi yokubikezela igatsha. Ngenkathi kwethulwa i-retpoline ngo-2018, kukholakala ukuthi ukukhohlisa kwekheli okufana ne-Specter kwakungasebenziseki ekuhlanganiseni okucatshangelwayo kusetshenziswa umyalo othi “ret”.
Abacwaningi abathuthukise indlela yokuhlasela ye-Retbleed babonise amathuba okudala izimo zezakhiwo ezincane zokuqalisa inguquko eqagelayo kusetshenziswa imiyalelo “ret” futhi ashicilelwe amathuluzi enziwe ngomumo okuhlonza ukulandelana kwemiyalo (amagajethi) alungele ukuxhaphaza ubungozi ku-Linux kernel, lapho izimo ezinjalo zizibonakalisa khona.
Ngesikhathi socwaningo, kwalungiselelwa ukuxhashazwa okusebenzayo okuvumela, ezinhlelweni ezine-Intel CPUs, ukukhipha idatha engafanele kumemori ye-kernel kusuka enqubweni engafanele endaweni yomsebenzisi ngesivinini samabhayithi angu-219 ngomzuzwana kanye nokunemba okungu-98%. Kumaphrosesa e-AMD, ukusebenza kahle kokuxhaphaza kuphakeme kakhulu—izinga lokuvuza lingu-3.9 KB ngomzuzwana. Njengesibonelo esisebenzayo, sibonisa indlela yokusebenzisa ukuxhashazwa okuhlongozwayo ukuze sinqume okuqukethwe kwefayela /etc/shadow. Kuzinhlelo ezinama-Intel CPUs, ukuhlaselwa kokuthola igama lephasiwedi yomsebenzisi wempande kwenziwa ngemizuzu engama-28, nasezinhlelweni ezinama-AMD CPU - ngemizuzu eyi-6.
Ukuhlasela kuqinisekisiwe ezizukulwaneni ezingu-6-8 zama-Intel processors akhishwe ngaphambi kwe-Q3 2019 (kuhlanganise ne-Skylake), nama-AMD processors asuselwa ku-Zen 1, Zen 1+, kanye ne-Zen 2 microarchitectures ezikhishwe ngaphambi kwe-Q2021 3. Kumamodeli amasha wokucubungula afana ne-AMD ZenXNUMX ne-Intel Alder Lake, kanye nakuma-ARM processors, inkinga ivinjwe izindlela ezikhona zokuvikela. Isibonelo, ukusebenzisa imiyalelo ye-IBRS (Indirect Branch Restricted Speculation) kusiza ukuvikela ekuhlaselweni.
Isethi yezinguquko isilungiselwe i-Linux kernel kanye ne-Xen hypervisor, ezovimba inkinga kusofthiwe kuma-CPU amadala. Isiqeshana esihlongozwayo se-Linux kernel sishintsha amafayela angama-68, sengeza imigqa engu-1783, futhi sisuse imigqa engu-387. Ngeshwa, ukuvikela kuholela ezindlekweni ezibalulekile - emibhalweni eyenziwe ku-AMD kanye ne-Intel processors, ukwehla kokusebenza kulinganiselwa kusuka ku-14% kuya ku-39%. Kungcono kakhulu ukusebenzisa ukuvikela okusekelwe emiyalweni ye-IBRS, etholakala ezizukulwaneni ezintsha zama-Intel CPUs futhi isekelwa kusukela nge-Linux kernel 4.19.
Kumaphrosesa e-Intel, ukushintshwa kwekheli esikhundleni sokweqa okungaqondile okucatshangelwayo kwenziwa ngenxa yesici esivela lapho ukuchichima kwenzeka ngesibopho esiphansi (ukugeleza ngaphansi) ku-Return Stack Buffer. Uma izimo ezinjalo zenzeka, umyalo “wokubuyisela kabusha” uqala ukusebenzisa indlela yokukhetha ikheli efana naleyo esetshenziselwa ukweqa okuvamile okungaqondile. Kutholwe izindawo ezingaphezu kwenkulungwane ku-Linux kernel ezidala izimo zokuqalisa lokho kubuyela emuva futhi zifinyeleleka ngezingcingo zesistimu.
Kumaphrosesa e-AMD, ukukhishwa okucatshangelwayo komyalelo othi "ret" kwenziwa ngaphandle kokubhekisela ku-stack-specific buffer (Isitaki Sekheli Lokubuyisela) futhi iyunithi yokubikezela yegatsha ibheka umyalelo "ret" hhayi njengembuyiselo yokulawula, kodwa njengegatsha elingaqondile. , futhi, ngokufanelekile, isebenzisa idatha ukuze ibikezele izinguquko ezingaqondile. Ngaphansi kwalezi zimo, cishe noma yimuphi umsebenzi "wokubuyisela kabusha" otholakala ngekholi yesistimu ungaxhashazwa.
Ukwengeza, enye inkinga nayo ikhonjwe kuma-AMD CPUs (CVE-2022-23825, Ukudideka Kohlobo Lwegatsha) okuhlobene nokuqaliswa kwamagatsha angamanga - izimo zokubikezela igatsha zingenzeka ngaphandle kwemiyalelo yegatsha edingekayo, evumela ukuthi kube nomthelela kubhafa yokubikezela igatsha. ngaphandle komyalelo othi "ret". Lesi sici senza kube nzima kakhulu ukusetshenziswa kokuvikela futhi sidinga ukuhlanzwa okusebenzayo kwebhafa yokubikezela igatsha. Ukwengeza ukuvikelwa okugcwele ku-kernel kulindeleke ukuthi kukhuphule i-overhead ngo-209%.
Source: opennet.ru