Munguva pfupi yapfuura nhau dzakabvarura izvo njodzi yakaonekwa (CVE-2021-29154) mune eBPF subsystem, iyo pInobvumira kumhanya kwekutsvaga, kutsvagisa masystem, uye traffic controllers kumhanya mukati meLinux kernel mune yakakosha JIT chaiyo muchina uyo inobvumira mushandisi wemuno kumhanyisa kodhi yako padanho rekernel.
Sekureva kwevaongorori vakaona kusagadzikana, ivo vakakwanisa kugadzira prototype yekushandisa kwema86-bit uye 32-bit x64 masisitimu anogona kushandiswa nemushandisi asina rukudzo.
Panguva imwecheteyo, Red Hat inocherekedza kuti kuomarara kwedambudziko kunoenderana nekuwanikwa kweiyo eBPF system yekufona. yemushandisi. Semuenzaniso, paRHEL uye zvimwe zvakawanda zvekuparadzirwa kweLinux nekumisikidza, kusagadzikana kunogona kushandiswa kana BPF JIT yagoneswa uye mushandisi aine kodzero dzeCAP_SYS_ADMIN.
Dambudziko rakawanikwa muLinux kernel iyo yavanogona kushungurudza
vasina-ropafadzo vashandisi vemuno kuti vawedzere ropafadzo.Dambudziko nderekuti maunganidzwa eBPF JIT anoverengera sei mamwe maumbirwo
Bazi rinobvisa kana uchigadzira kodhi yemuchina. Izvi zvinogona kushungurudzwa
kugadzira anomalous makina kodhi uye unomhanya nayo mu kernel modhi,
iko kuyerera kwekutonga kwakabiwa kuita kodhi isina kuchengetedzeka.
Uye ndezvekuti ivo vanotsanangudza izvo dambudziko rinokonzerwa nekanganiso iyo inogadzirwa kana uchiverenga kukanganisa kwemirairo yebazi panguva yeJIT compiler inogadzira kodhi yemuchina.
Kunyanya, zvinotaurwa kuti kana uchigadzira iwo maratidziro ebazi, hazvina kutariswa kuti iko kusuduruka kunogona kuchinja mushure mekupfuura nhanho yekugadzirisa, iko kukundikana uku kunogona kushandiswa kugadzira kodhi yemuchina uye kuitisa padanho kernel .
Inofanira kuonekwa kuti Uku handiko chete kunetsekana muEBPF subsystem iyo yave kuzivikanwa mumakore achangopfuura, kubvira pakupera kwaKurume, kumwe kusasimba kwechipiri kwakaratidzwa mukernel (CVE-2020-27170, CVE-2020-27171), iyo inopa kugona kushandisa eBPF kuti ikwanise kupfuudza kudzivirirwa kubva kune Specter kirasi kushupika, iyo inobvumidza izvo zvemukati memusoro wekernel kutemerwa uye izvo zvinoguma mukugadzirwa kwemamiriro ekufungidzira kwekuitwa kweamwe mashandiro.
Iyo Specter kurwisa kunoda kuvepo kwechete kuteedzana kwemirairo mune yakaropafadzwa kodhi, zvichitungamira mukufungidzira kuitiswa kwemirairo. MuEBPF, nzira dzinoverengeka dzakawanikwa kugadzira rairo dzakadaro nenzira dzekunyengedza neBPF zvirongwa zvinotapuriranwa kuti zviitwe.
- Iyo CVE-2020-27170 kunetsekana kunokonzerwa nekunongedzera kwe pointer muBPF cheki, zvichikonzera mashandiro ekufungidzira kuwana nzvimbo iri kunze kweye buffer.
- Iyo CVE-2020-27171 kunetsekana kune chekuita neyakaverengeka mafashama ebuggi kana uchishanda nemanongedzera, zvichitungamira mukufungidzira kuwana kune yekunze-kwe-buffer dhata.
Idzi nyaya dzakatogadziriswa mune kernel vhezheni 5.11.8, 5.10.25, 5.4.107, 4.19.182, uye 4.14.227, uye zvakaverengerwa mukuvandudzwa kwekernel kune akawanda maLinux anoparadzirwa. Vatsvakurudzi vakagadzirira muenzaniso wekubvumira uyo unobvumidza mushandisi asina rombo kutora data kubva kune kernel memory.
Kana iri imwe yemhinduro izvo yakatsanangurwa mukati meRed Hat ndeye:
Mitigation:
Dambudziko iri haritadzise masisitimu mazhinji nekutadza. Mutungamiri aifanira kunge akaita kuti BPF JIT ikanganiswe.
Inogona kuremara nekukasira nemutemo:
# echo 0 > /proc/sys/net/core/bpf_jit_enableKana inogona kuremerwa kune ese anotevera system mabhutsu nekumisikidza kukosha mu /etc/sysctl.d/44-bpf -jit-Disable
## start file ## net.core.bpf_jit_enable=0</em> end file ##
Finalmente kana iwe uchifarira kuziva zvakawanda nezvazvo nezve izvi kunetseka, unogona kutarisa izvo mukati chinotevera chinongedzo.
Izvo zvakakodzera kuti utaure kuti dambudziko rinoramba riripo kusvika vhezheni 5.11.12 (inosanganisirwa) uye haisati yagadziriswa mukuparadzira kwakawanda, kunyangwe iko kururamisa kwatove munzvimbo. inowanikwa sechigamba.