Kwanan nan Masu binciken tsaro na Qualys (kamfanin girgije, da kiyayewa da kuma kamfanonin sabis masu alaƙa) fitar da cikakkun bayanai game da yanayin rauni abin da suka gano kuma menene suna shafar kwayar Linux.
CVE-2021-33909 yana shafar kwaya kuma yana bawa mai amfani na gari damar cimma lambar aiwatarwa da kuma haɓaka gata ta hanyar amfani da kundayen adireshin yanar gizo.
Rashin lafiyar ya samo asali ne saboda rashin ingancin sakamakon sauya size_t zuwa buga int kafin aiwatar da aiki akan lambar seq_file, wanda ke ƙirƙirar fayiloli daga jerin rikodin. Rashin tabbatarwa na iya haifar da rubutawa zuwa wani yanki a waje da iyakantattun abubuwa yayin ƙirƙirawa, hawa, da sauke tsarin kundin adireshi tare da matsuguni mai girma (girman hanyar da ta fi 1GB).
Duk wani mai amfani da bashi da gata zai iya samun damar ginshiƙai akan mai masaukin rauni ta hanyar amfani da wannan yanayin rashin daidaito.
A sakamakon haka, mai kai hari zai iya samun zaren baiti 10 "// an share" tare da biya ta "- 2 GB - 10 bytes", yana nuna yankin nan da nan kafin ajiyar da aka ware.
Barazanar rashin rauni ya haɗu da gaskiyar cewa masu bincike sun sami damar shirya ayyukan aiki akan Ubuntu 20.04, Debian 11, da Fedora 34 a tsoffin saituna. An lura cewa wasu abubuwan rarraba ba'a gwada su ba, amma bisa ka'ida suma suna iya fuskantar matsalar kuma ana iya kai musu hari.
Yin nasarar cin nasarar wannan yanayin lahani yana bawa kowane mai amfani mara izini damar samun gatanan tushen akan mai masaukin rauni. Masu binciken tsaro na Qualys sun sami damar tabbatar da raunin da kansu, haɓaka ci gaba, da kuma samun cikakken gata a tushen shigarwar Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, da Fedora 34 Workstation. Sauran rarraba Linux na iya zama masu rauni kuma mai yiwuwa amfani.
Aikin fa'idodin ya faɗi don ƙirƙirar matsayi na kusan kundin adireshi miliyan gurza ta hanyar kira na mkdir () don cimma girman hanyar fayil mafi girma fiye da 1GB.
Wannan kundin adireshin an ɗora shi a cikin keɓaɓɓen sunan filin mai amfani, bayan haka aikin rmdir () zai gudana don cire shi. A cikin layi daya, ana ƙirƙirar zaren da ke loda ƙaramin shirin eBPF, wanda ke rataye a kan mataki bayan tabbatar da lambar eBPF ɗin, amma kafin haɗin JIT ɗin.
A cikin takaddun ID ɗin mai amfani mara izini, fayil ɗin / proc / self / mountinfo ya buɗe kuma ya karanta doguwar jagorar hanyar da aka ɗora tare da ɗauri, wanda hakan ya haifar da rubuta layin "// share" a cikin yankin kafin fara ajiyar. An zaɓi matsayi don rubuta layin ta yadda zai sake rubuta umarnin a cikin gwajin da aka riga aka gwada amma har yanzu ba a tsara shirin eBPF ba.
Bugu da ƙari, a matakin shirin eBPF, rubuce-rubuce mara izini daga cikin buffer ya canza zuwa iya karatu / rubutu ana sarrafa shi a cikin wasu sifofin kwaya ta hanyar sarrafa btf da tsarin maɓallan_push_elem.
Amfani sannan sanya modprobe_path [] buffer a cikin ƙwaƙwalwar ƙwaƙwalwa kuma ya sake maimaita hanyar "/ sbin / modprobe" a ciki, yana ba da damar kunna duk wani fayil da za a iya aiwatarwa a matsayin tushen idan an yi kira na request_module (), wanda aka aiwatar misali a lokacin ƙirƙirar wani netlink soket ...
Masu bincike sun ba da mafita da yawa waɗanda ke da tasiri kawai don takamaiman amfani, amma ba sa gyara matsalar kanta.
Saboda haka ana ba da shawarar saita siga "/ proc / sys / kernel / unprivileged_userns_clone" zuwa 0 don musaki hawa kan kundin adireshi a cikin takamaiman sunan mai amfani da kuma "/ proc sys / kernel / unprivileged_bpf_disabled" zuwa 1 don musaki shigar da shirye-shiryen eBPF a cikin kwaya.
Baya ga gaskiyar cewa duk masu amfani da rarraba Linux ana kuma ba da shawarar su sabunta tsarin su don samun facin da ya dace. Matsalar ta bayyana tun daga watan Yulin 2014 kuma yana shafar nau'ikan kwaya tun daga 3.16. An haɗu da facin rashin lafiyar tare da al'umma kuma an karɓa a cikin kwaya a ranar 19 ga Yuli.
A ƙarshe, idan kuna da sha'awar sanin ƙarin abubuwa game da shi, kuna iya tuntuɓar cikakkun bayanai a cikin mahaɗin mai zuwa.