Zvekare ... vakawana kumwe kusagadzikana mune eBPF subsystem

Nyaya ichangobva kubuda iyoyo yakaratidza kusagadzikana kutsva (yakatonyorwa pasi peCVE-2021-4204) mune eBPF subsystem (zvekuchinja) ...

Uye ndezvekuti iyo eBPF subsystem haina kumira kuita dambudziko rakakura rekuchengetedza kuKernel nekuti zviri nyore mune zvese zve2021 kusakwana kuviri kwakaburitswa pamwedzi uye nezvatinotaura nezvevamwe vavo pano mublog.

Nezve udzame hwedambudziko razvino, kunotaurwa izvozvo yakaonekwa kusagadzikana inobvumira mutyairi kumhanya mukati meLinux kernel mune yakakosha JIT chaiyo muchina uye iyo inobvumira mushandisi wemuno asina rusarura kuti akwidze maropafadzo uye kuita kodhi yavo padanho rekernel.

Mukutsanangura dambudziko, vanotaura izvozvo kusazvibata kunokonzerwa nekusatariswa zvisina kunaka kwezvirongwa zveBPF zvinofambiswa kuti zviitwe, sezvo iyo eBPF subsystem inopa mabasa emubatsiri, iko kurongeka kwayo kunotariswa neakakosha verifier.

Kusagadzikana uku kunobvumira vanorwisa vemunharaunda kuwedzera maropafadzo pa
Yakakanganiswa Linux Kernel kumisikidza. Anorwisa anofanira kutanga awana
kugona kumhanyisa kodhi ine yakaderera ropafadzo pane inotangwa system
kushandisa kusagadzikana uku.

Iyo chaiyo kukanganisa kuripo mukubata kwe eBPF zvirongwa. Mubvunzo mhedzisiro kubva mukushaikwa kwechokwadi chechokwadi chevashandisi-inopihwa eBPF zvirongwa ndisati ndavamhanyisa. 

Kunze kwaizvozvo, mamwe emabasa anoda kuti PTR_TO_MEM ipfuure senharo uye mugadzirisi anofanira kuziva saizi yendangariro inodyidzana nenharo kudzivirira matambudziko angangofashukira.

Panguva yemabasa bpf_ringbuf_submit uye bpf_ringbuf_discard, data nezve saizi yekutamiswa ndangariro haina kuudzwa kune inosimbisa (apa ndipo panotangira dambudziko), iyo anorwisa anotora mukana wekuti akwanise kushandisa kunyora ndangariro nzvimbo dziri kunze kwemuganho webuffer paunenge uchigadzira yakanyatsogadzirwa eBPF kodhi.

Anorwisa anogona kushandisa kusagadzikana uku wedzera maropafadzo uye ita kodhi mumamiriro eiyo kernel. CHERECHEDZA kuti bpf isina rusarura yakavharwa nekusarudzika pakugovera kwakawanda.

Zvinonzi kuti mushandisi aite kurwisa, mushandisi anofanira kukwanisa kurodha yako BPF chirongwa uye akawanda achangoburwa Linux kugovera anovhara izvi nekusarudzika (kusanganisira kusarongeka kwekuwana eBPF ikozvino kwave kurambidzwa nekusingaperi mukernel pachayo, seyevhezheni 5.16).

Semuyenzaniso, anotaurwa kuti vulnerability inogona kushandiswa mukugadziriswa kweiyo default in kugovera kuchiri kushandiswa zvakanyanya uye pamusoro pezvose kufarirwa zvakanyanya sezvazviri Ubuntu 20.04 LTS, asi munzvimbo dzakaita seUbuntu 22.04-dev, Debian 11, openSUSE 15.3, RHEL 8.5, SUSE 15-SP4 uye Fedora 33, inongoratidza chete kana maneja akaisa parameter. kernel.unprivileged_bpf_disabled kusvika 0.

Parizvino, sechishandiso chekuvharisa kusazvibata, kunotaurwa kuti unogona kudzivirira vashandisi vasina rusaruro kumhanyisa zvirongwa zveBPF nekumhanyisa rairo mune terminal:

sysctl -w kernel.unprivileged_bpf_disabled=1

Chekupedzisira, zvinofanirwa kutaurwa izvo dambudziko rakaonekwa kubvira Linux kernel 5.8 uye rinoramba risina kunyorwa (kusanganisira vhezheni 5.16) uye ndosaka iyo yekushandisa code ichanonoka kwemazuva manomwe uye ichaburitswa na12:00 UTC, kureva, Ndira 18, 2022.

Nayo inoitirwa kupa nguva yakakwana yekuti zvigamba zvekugadzirisa zviwanikwe yevashandisi veakasiyana Linux kugoverwa mukati meiyo yepamutemo chiteshi cheimwe neimwe yeiyi uye vese vanogadzira uye vashandisi vanogona kugadzirisa kushushikana kwakataurwa.

Kune avo vanofarira kukwanisa kuziva nezve mamiriro ekuumbwa kwezvigadziriso nekubviswa kwedambudziko mune kumwe kugoverwa kukuru, vanofanirwa kuziva kuti vanogona kuteverwa kubva pamapeji aya:  DebianRHELSUSEFedoraUbuntuArch.

Kana uri kufarira kuziva zvakawanda nezvazvo nezvechinyorwa, unogona kubvunza chirevo chepakutanga Mune inotevera chinongedzo.


Izvo zviri muchinyorwa zvinoomerera pamisimboti yedu ye tsika dzekunyora. Kuti utaure chikanganiso tinya pano.

Iva wekutanga kutaura

Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa.

*

*

  1. Inotarisira data: AB Internet Networks 2008 SL
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako