Munguva pfupi yapfuura Vanochengetedza Qualys (kuchengetedzeka kwegore, kutevedza nekambani inoenderana nemasevhisi) yakaburitsa ruzivo rwekushushikana zvavakaona uye chii zvinokanganisa iyo Linux kernel.
CVE-2021-33909 inokanganisa kernel uye inobvumira mushandisi wemuno kuti aite kuitiswa kwekodhi uye kuwedzera mikana nekunyengedza madhairekitori akakwirira.
Iko kunetseka kunokonzerwa nekushaikwa kwekusimbiswa kwemhedzisiro yekushandura size_t kunyora int usati waita mashandiro pane seq_file kodhi, iyo inogadzira mafaira kubva mukuteedzana kwemarekodhi. Kushaikwa kwekusimbiswa kunogona kukonzera kunyorera kune imwe nzvimbo iri kunze kwemiganhu yetabha kana ichigadzira, kusimudza, uye kudonhedza dhairekitori nedanho rakakwirira kwazvo re nesting (saizi panzira yakakura kupfuura 1GB).
Chero ani zvake asina-rombo mushandisi anokwanisa kuwana rombo rakanaka kumunhu anotambura nekushandisa izvi kusagadzikana mukumisikidza kwekumisikidza.
Nekuda kweizvozvo, anorwisa anogona kuwana gumi-byte tambo "// yakadzimwa" ine offset ye "- 2 GB - 10 mabheti", ichinongedzera kunharaunda iyo nguva pfupi isati yapiwa bhafa.
Iko kutyisidzira kwekusagadzikana kunowedzerwa nenyaya yekuti vaongorori vakakwanisa kugadzirira zvinoshanda paUbuntu 20.04, Debian 11 uye Fedora 34 mune zvekumisikidza marongero. Izvo zvinoonekwa kuti kumwe kugovera hakuna kuyedzwa, asi zvinofungidzirwa kuti zvinokonzeresa kune dambudziko uye zvinogona kurwiswa.
Kubudirira kubiridzira kweiyi njodzi kunobvumidza chero mushandisi asina rombo kuwana mukana wemidzi kune anotambura mushanyi. Vanotsvaga kuchengetedzwa kweQualys vakakwanisa kuzvimiririra vakasarudzika kushomeka, kuvandudza kushandiswa, uye kuwana mukana wakazara wemidzi pazvinhu zvekumisikidza zveUbuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, uye Fedora 34 Workstation. Zvimwe zvekuparadzirwa kweLinux zvingangove zviri panjodzi uye pamwe zvingangoshandiswa.
Basa rekushandisa rinodonhedza pasi mukugadzira hutongi hweanosvika mamirioni madhairekitori nested kuburikidza mkdir () kufona kuzadzisa saizi renzira yakakura kupfuura 1GB.
Iri dhairekitori rakasungwa-rakakwidzwa mune rakasiyana mushandisi namespace, mushure mezvo iro rmdir () basa rinomhanya kuti ribvise. Mukufananidza, tambo inogadzirwa inotakura diki eBPF chirongwa, icho chinorembera padariro mushure mekusimbisa iyo eBPF pseudocode, asi pamberi payo kusangana kweJIT.
Mune isina kupiwa mushandisi ID namespace, iyo / proc / self / mountinfo faira inovhura uye kuverenga iyo dhairekitori nzira yakaiswa ne bind-mount, zvichikonzera kuti mutsara "// ubviswe" uchinge wakanyorwa mudunhu pasati patanga buffer. Nzvimbo yekunyora mutsetse inosarudzwa nenzira yekuti inonyora iwo kuraira mune yatove kuyedzwa asi isati yanyora chirongwa cheIPFF.
Uyezve, padanho repurogiramu yeIPF, kunyora kusingadzorwe kubva kubhafa kunoshandurwa kuve kugona kuverenga / kunyora inodzorwa mune zvimwe zvimiro zvekernel nekushandisa iyo btf uye map_push_elem zvivakwa.
Izvo zvinoshandiswa zvino zvinoisa modprobe_path [] buffer mune kernel memory uye inonyora nzira iyo "/ sbin / modprobe" mairi, ichibvumira chero faira rinoburitswa kuvhurwa semudzi kana chikumbiro_module () kufona ichiitwa, inoitwa semuenzaniso kana ichigadzira soketi netlink ...
Vatsvagiri vakapa mhinduro dzinoverengeka dzinoshanda chete kune chakati chiitiko, asi hadzigadzirise dambudziko racho pacharo.
Saka nekudaro zvinokurudzirwa kumisikidza paramende "/ proc / sys / kernel / unprivileged_userns_clone" kuenda ku0 kudzima kumisikidza madhairekitori mune yakasarudzika userid namespace uye "/ proc sys / kernel / unprivileged_bpf_disabled" kuita 1 kudzimisa kurodha kweEAPF zvirongwa kupinda tsanga.
Pamusoro pezvo zvinokurudzirwawo kune vese vashandisi vekuparadzira kweLinux, gadziridza yako system kuti uve nechikwata chinoenderana. Dambudziko rave pachena kubvira Chikunguru 2014 uye inokanganisa kernel vhezheni kubvira 3.16. Iyo chigamba chekushushikana chakarongedzwa pamwe nenharaunda uye chakagamuchirwa mukernel muna Chikunguru 19.
Chekupedzisira, kana iwe uchifarira kuziva zvakawanda nezvazvo, unogona kubvunza iyo ruzivo mune inotevera chinongedzo.