CVE-2024-26992
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-26992
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-26992.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-26992
- Downstream
- Related
- Published
- 2024-05-01T05:27:57Z
- Modified
- 2025-10-09T07:21:07.341100Z
- Summary
- KVM: x86/pmu: Disable support for adaptive PEBS
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86/pmu: Disable support for adaptive PEBS
Drop support for virtualizing adaptive PEBS, as KVM's implementation is architecturally broken without an obvious/easy path forward, and because exposing adaptive PEBS can leak host LBRs to the guest, i.e. can leak host kernel addresses to the guest.
Bug #1 is that KVM doesn't account for the upper 32 bits of IA32FIXEDCTRCTRL when (re)programming fixed counters, e.g fixedctrlfield() drops the upper bits, reprogramfixed_counters() stores local variables as u8s and truncates the upper bits too, etc.
Bug #2 is that, because KVM always sets preciseip to a non-zero value for PEBS events, perf will _always generate an adaptive record, even if the guest requested a basic record. Note, KVM will also enable adaptive PEBS in individual counter, even if adaptive PEBS isn't exposed to the guest, but this is benign as MSRPEBSDATA_CFG is guaranteed to be zero, i.e. the guest will only ever see Basic records.
Bug #3 is in perf. intelpmudisablefixed() doesn't clear the upper bits either, i.e. leaves ICLFIXED0ADAPTIVE set, and intelpmuenablefixed() effectively doesn't clear ICLFIXED0ADAPTIVE either. I.e. perf always enables ADAPTIVE counters, regardless of what KVM requests.
Bug #4 is that adaptive PEBS might effectively bypass event filters set by the host, as "Updated Memory Access Info Group" records information that might be disallowed by userspace via KVMSETPMUEVENTFILTER.
Bug #5 is that KVM doesn't ensure LBR MSRs hold guest values (or at least zeros) when entering a vCPU with adaptive PEBS, which allows the guest to read host LBRs, i.e. host RIPs/addresses, by enabling "LBR Entries" records.
Disable adaptive PEBS support as an immediate fix due to the severity of the LBR leak in particular, and because fixing all of the bugs will be non-trivial, e.g. not suitable for backporting to stable kernels.
Note! This will break live migration, but trying to make KVM play nice with live migration would be quite complicated, wouldn't be guaranteed to work (i.e. KVM might still kill/confuse the guest), and it's not clear that there are any publicly available VMMs that support adaptive PEBS, let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn't support PEBS in any capacity.
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/037e48ceccf163899374b601afb6ae8d0bf1d2ac
- https://git.kernel.org/stable/c/0fb74c00d140a66128afc0003785dcc57e69d312
- https://git.kernel.org/stable/c/7a7650b3ac23e5fc8c990f00e94f787dc84e3175
- https://git.kernel.org/stable/c/9e985cbf2942a1bb8fcef9adc2a17d90fd7ca8ee
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc59a1f106f5cd4843c097069ff1bb2ad72103a67Fixed0fb74c00d140a66128afc0003785dcc57e69d312
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc59a1f106f5cd4843c097069ff1bb2ad72103a67Fixed037e48ceccf163899374b601afb6ae8d0bf1d2ac
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc59a1f106f5cd4843c097069ff1bb2ad72103a67Fixed7a7650b3ac23e5fc8c990f00e94f787dc84e3175
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc59a1f106f5cd4843c097069ff1bb2ad72103a67Fixed9e985cbf2942a1bb8fcef9adc2a17d90fd7ca8ee