Kuphawulwe ubungozi obubili ku-Linux kernel evumela isistimu engaphansi ye-eBPF ukuthi isetshenziselwe ukweqa ukuvikela ekuhlaselweni kwe-Specter v4 (SSB, I-Speculative Store Bypass). Ngokusebenzisa uhlelo lwe-BPF olungavunyelwe, umhlaseli angadala izimo zokwenziwa kokuqagela kwemisebenzi ethile futhi anqume okuqukethwe kwezindawo ezingafanele zenkumbulo ye-kernel. Abanakekeli bezinhlelo ezingaphansi ze-eBPF ku-kernel bathole ukufinyelela ku-prototype exploit ebonisa ikhono lokuhlasela ngokwenza. Izinkinga zilungiswe ngendlela yamapeshi (1, 2), azofakwa kusibuyekezo esilandelayo se-Linux kernel. Izibuyekezo ezikhithi zokusabalalisa azikadalwa (Debian, RHEL, SUSE, Arch, Fedora, Ubuntu).
Indlela yokuhlasela ye-Specter 4 isekelwe ekubuyiseleni idatha egcinwe kunqolobane yokucubungula ngemva kokulahla umphumela wokuqagela ukwenziwa kwemisebenzi lapho kucutshungulwa imisebenzi yokubhala nokufunda kushintshana kusetshenziswa ikheli elingaqondile. Lapho umsebenzi wokufunda ulandela umsebenzi wokubhala (isb., mov [rbx + rcx], 0x0; mov rax, [rdx + rsi]), i-offset yekheli elifundiwe ingase yaziwe kakade ngenxa yemisebenzi efanayo eyenziwayo (imisebenzi yokufunda kwenziwa kaningi futhi ukufundwa kungenziwa kunqolobane) futhi iphrosesa ingenza ngokuqagela ukufunda ngaphambi kokubhala ngaphandle kokulinda ukubalwa kwe-indirection offset yokubhala.
Uma, ngemva kokubala i-offset, ukuphambana kwezindawo zenkumbulo zokubhala nokufunda kutholwa, iphrosesa izovele ilahle umphumela wokufunda osuvele utholakele ngokuqagela bese iphinda lo msebenzi. Lesi sici sivumela umyalelo wokufunda ukuze ufinyelele inani elidala kwelinye ikheli kuyilapho umsebenzi wesitolo ungakaqedwa. Ngemva kokulahla ukusebenza kokuqagela okungaphumelelanga, iminonjana yokubulawa kwayo isala kunqolobane, ngemva kwalokho enye yezindlela zokunquma okuqukethwe yinqolobane ingasetshenziswa ukuyithola ngokusekelwe ekuhlaziyeni izinguquko esikhathini sokufinyelela kudatha egcinwe kunqolobane nengagciniwe.
Ukuba sengozini kokuqala (CVE-2021-35477) kubangelwa iphutha endleleni yokuqinisekisa uhlelo lwe-BPF. Ukuze uvikeleke ekuhlaselweni kwe-Specter 4, isiqinisekisi sengeza iziyalezo ezengeziwe ngemva kwezitolo ezingase zibe yinkinga kumemori egcina inani elingenalutho ukuze kususwe imikhondo yokusebenza kwangaphambilini. Ukusebenza kokubhala okuyize bekulindeleke ukuthi kusheshe kakhulu futhi kuvinjwe ukubulawa okuqagelayo ngoba kuncike kuphela esikhombeni kuhlaka lwesitaki se-BPF. Kodwa eqinisweni, kube nokwenzeka ukudala izimo lapho umyalelo oholela ekubulaweni okucatshangelwayo ukwazi ukubulawa ngaphambi kokusebenza kwesitolo sokuqala.
Ukuba sengozini kwesibili (CVE-2021-3455) kungenxa yokuthi uma isiqinisekisi se-BPF sihlonza imisebenzi engaba yingozi yokonga inkumbulo, asicabangi izindawo ezingakaqalwa zestaki se-BPF, umsebenzi wokuqala wokubhala ongavikelekile. Lesi sici siholela ekubeni nokwenzeka kokwenza umsebenzi wokufunda ocatshangelwayo, oncike endaweni yenkumbulo engaqaliswanga, ngaphambi kokwenza umyalo wesitolo. Inkumbulo entsha yesitaki se-BPF yabiwa ngaphandle kokuhlola okuqukethwe osekuvele kumemori eyabiwe, futhi kunendlela ngaphambi kokuthi uhlelo lwe-BPF luqalise ukukhohlisa okuqukethwe kwesifunda senkumbulo okuyobe sekwabelwa isitaki se-BPF.
Source: opennet.ru