Kukanganisa kwakawanda kwaonekwa muLinux Kernel

Munguva pfupi yapfuura, nhau dzakaburitswa kuti kusadzivirirwa kwakati wandei kwakaonekwa senjodzi kwakaonekwa mune linux kernel uye izvo zvinobvumira mushandisi wepanzvimbo kusimudza ropafadzo dzavo pane system.

Yekutanga yehurema ndeye CVE-2022-0995 uye ndizvo iripo muchiitiko chekutevera subsystem "watch_queue" uye izvi zvinoita kuti data inyorwe kunzvimbo yekernel memory kunze kweiyo buffer yakagoverwa. Kurwiswa kwacho kunogona kuitwa nechero mushandisi pasina ropafadzo uye kuita kuti kodhi yavo iitwe nerusambwa rwe kernel.

Kusagadzikana kuripo muwatch_queue_set_size () basa uye kunobatanidzwa nekuyedza kubvisa zvese zvinongedzo kubva pane rondedzero, kunyangwe zvisina kupihwa ndangariro. Dambudziko rinozviratidza pakuvaka kernel ne "CONFIG_WATCH_QUEUE=y" sarudzo, iyo inoshandiswa neakawanda Linux kugovera.

Izvo zvinotaurwa kuti kushomeka yakagadziriswa mune shanduko yakawedzerwa kune kernel musi waKurume 11.

Kusagadzikana kwechipiri kwakaburitswa ndiko CVE-2022-27666 chii iripo mu kernel modules esp4 uye esp6 iyo inoshandisa Encapsulating Security Payload (ESP) shanduko yeIPsec inoshandiswa kana uchishandisa ese IPv4 uye IPv6.

Kunetseka inobvumira mushandisi wepanzvimbo ane ropafadzo dzakajairika kunyora pamusoro zvinhu mukernel memory uye kukwidziridza maropafadzo avo. muhurongwa. Dambudziko riripo nekuda kwekukanganisika pakati pehukuru hwendangariro yakagoverwa uye data yakagamuchirwa, sezvo hukuru hwemeseji hunogona kudarika saizi yepamusoro yendangariro yakagoverwa ye skb_page_frag_refill chimiro.

Izvo zvinotaurwa kuti kusagadzikana kwakagadziriswa mukernel munaKurume 7 (yakagadziriswa mu5.17, 5.16.15, nezvimwewo), pamwe chete chirongwa chekushanda chakaburitswa kubva mukubiridzira kunobvumira mushandisi akajairwa kuwana midzi yekuwana paUbuntu Desktop 21.10 mune default marongero. paGitHub.

Izvo zvinotaurwa kuti nekuchinja kudiki, iko kushandiswa kuchashandawo paFedora neDebian. Zvinofanira kucherechedzwa kuti kubiridzira kwacho kwakambogadzirirwa makwikwi epwn2own 2022, asi iyo bug yakabatana yakaonekwa uye yakagadziriswa nevagadziri vekernel, saka zvakazosarudzwa kuburitsa pachena ruzivo rwekusagadzikana.

Mamwe mavulnerabilities akaburitswa ndeaya CVE-2022-1015 y CVE-2022-1016 mune netfilter subsystem mune nf_tables module iyo inodyisa nftables packet filter. Muongorori akaziva nyaya idzi akazivisa kugadzirira kwekushandisa zvibodzwa zvese zviri zviviri kusasimba, izvo zvakarongwa kuburitswa mazuva mashoma mushure mekugovera kuburitsa kernel package.

Dambudziko rekutanga inobvumira mushandisi wepanzvimbo asina rusaruro kuti awane kunze-kwe-maganho nyora kune stack. Kufashukira kunoitika mukugadziriswa kweakaumbwa zvakanaka nftables matauriro anogadziriswa panguva yekusimbisa chikamu che indexes inopihwa nemushandisi ane mukana kune iyo nftables mitemo.

Kukanganisa kuri kukonzerwa kune chokwadi chekuti vagadziri vaireva izvozvo kukosha kwe "enum nft_registers reg" imwe byte, nepo kana mamwe ma optimizations akagoneswa, iyo compiler, maererano nekutsanangurwa kweC89, unogona kushandisa 32 bit value nokuda kwayo. Nekuda kweiyi quirk, saizi inoshandiswa kutarisa uye kugovera ndangariro haienderane nehukuru chaihwo hweiyo data muchimiro, zvichitungamira mukuswededzwa kwechimiro pane stack anonongedzera.

Dambudziko rinogona kushandiswa kuita kodhi pane kernel level, asi kurwisa kwakabudirira kunoda kuwana nfttables.

Anogona kuwanikwa munzvimbo yakaparadzana yemazita etiweki (network namespaces) ine CLONE_NEWUSER kana CLONE_NEWNET kodzero (semuenzaniso, kana uchikwanisa kumhanyisa mudziyo uri wega). Kusadzikama kwacho kune hukama zvakanyanya neiyo optimizations inoshandiswa nemubatanidzwa, iyo, semuenzaniso, inogoneswa kana ichigadzira mu "CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y" modhi. Kushandiswa kwekusagadzikana kunogoneka seLinux kernel 5.12.

Kusagadzikana kwechipiri munetfilter kunoitika kana uchiwana nzvimbo yendangariro yakatosunungurwa (shandisa-mushure-yemahara) mune nft_do_chain mutyairi uye inogona kukonzera kudonha kweuninitialized kernel memory nzvimbo dzinogona kuverengerwa nekugadzirisa nenftables mataurirwo uye kushandiswa, semuenzaniso, kuona mapoinzi kero panguva yekusimudzira mashandisiro kune humwe hurema. Kushandiswa kwekusagadzikana kunogoneka seLinux kernel 5.13.

Kusagadzikana kwakagadziriswa mune ichangobva kuburitswa yekururamisa Kernel zvigadziriso.


Izvo zviri muchinyorwa zvinoomerera pamisimboti yedu ye tsika dzekunyora. Kuti utaure chikanganiso tinya pano.

Iva wekutanga kutaura

Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa.

*

*

  1. Inotarisira data: AB Internet Networks 2008 SL
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako