The Linux kernel is known for its robust virtualization capabilities, especially through KVM (Kernel-based Virtual Machine). However, in early 2024, a serious vulnerability—CVE-2024-26992—was uncovered and patched. This long-read breaks down what happened, why it’s important, how the kernel community responded, and what it means for sysadmins and developers running Linux VMs.
What Is Adaptive PEBS? (And Why Should I Care?)
PEBS stands for Precise Event-Based Sampling. It's a feature on Intel CPUs that makes performance monitoring much more accurate, especially when troubleshooting or profiling applications. Adaptive PEBS is an advanced version that provides even more detailed insights but requires careful control because it interacts deeply with how the hardware works.
KVM lets you virtualize performance monitoring units (PMUs) so that VMs (guests) can use PEBS too… But as we'll see, things got tricky.
High-level Summary
- Multiple bugs in KVM’s Adaptive PEBS virtualization allowed leaking sensitive host data—specifically, Last Branch Records (LBRs)—to guest VMs.
- LBRs track recent CPU instruction addresses ("branches"), and leaking these can give away kernel addresses—potentially undermining ASLR or even revealing vulnerabilities.
1. Mishandling of PMU Register Bits
KVM did not properly track the upper 32 bits of IA32_FIXED_CTR_CTRL (a control register). For example, helper functions like fixed_ctrl_field() and reprogram_fixed_counters() silently dropped those upper bits.
Example (Simplified)
// Incorrect: Drops upper 32-bits (should be u64, not u8!)
u8 ctr_ctrl = vmcs_readl(VMX_FIXED_CTR_CTRL);
// Only lower 8 bits are used
Result: The guest could get or set bits it should never touch.
2. Always On: Adaptive Mode
KVM set the precise_ip attribute for all PEBS events—this forced Adaptive PEBS on, even when the guest asked for just basic records.
- This mismatch confused expectations and made VMs act as if more advanced features were available than advertised.
3. perf Subsystem Issues
The kernel's *perf* subsystem had its own bugs: functions like intel_pmu_disable_fixed() and intel_pmu_enable_fixed() didn’t clean up the upper control bits. This left adaptive settings enabled, no matter what KVM wanted.
4. Host-Side Event Filter Bypass
There was a risk that Adaptive PEBS could bypass event filters, meaning the host’s admins couldn't reliably control which performance data guests could collect. Not good for security boundaries.
5. Leaked LBRs into the Guest
This was the worst: KVM didn’t clear LBR (Last Branch Record) MSRs (Model Specific Registers) when running a guest with Adaptive PEBS enabled. The guest could see the host’s recent instruction addresses—disclosing kernel code locations!
A guest could read LBR records like this (conceptually)
uint64_t lbr_value = rdmsr(MSR_LBR_); // This might hold host addresses!
Potential result: The guest could deduce where the host’s kernel code lives—a *big* security risk.
The Resolution: Cut Off Adaptive PEBS Virtualization
Because these problems were severe—and the fixes not trivial—the Linux kernel maintainers decided to simply disable Adaptive PEBS virtualization in KVM for now. This prevents all the data-leak issues at once.
Note: This breaks live VM migration between kernels with and without the Adaptive PEBS feature, but given that almost no public VMs or VMMs (like QEMU) supported it yet, this is seen as a safe tradeoff.
References and Official Links
- Original patch and commit
- CVE Entry for CVE-2024-26992
- Linux KVM Documentation
- Intel PEBS documentation
What Should You Do?
- If you run or manage Linux machines with virtualization and let guests use advanced performance features, update your kernel ASAP.
Guests are allowed to use these PMU features (rare for typical cloud VMs, but possible).
- If you develop virtualization management stacks: Be aware that Adaptive PEBS virtualization is now gone, so don’t expect it to work or plan for migration scenarios without it.
Final Words
CVE-2024-26992 is a classic example of how virtualization security requires laser-sharp attention to detail, especially around features that expose hardware data to virtual guests. Even subtle mistakes in handling CPU control bits can turn into serious information leaks.
The fix—disabling adaptive PEBS for now—might seem drastic, but it’s the quickest path to safety until a more robust implementation is ready. Always keep your systems updated and pay close attention to which performance features you expose to guests.
Stay safe, and keep an eye on future kernel release notes for further improvements.
> *This guide is exclusive, simplified, and brings you up to speed on CVE-2024-26992 without deep-dive requirement into CPU architecture manuals. For questions or practical migration tips, leave a comment or drop a message!*
Timeline
Published on: 05/01/2024 06:15:16 UTC
Last modified on: 05/04/2025 09:01:40 UTC