Mva nje ulwazi olubalulekileyo malunga ukuchongwa kwe ukuba sesichengeni (Uluhlu lweCVE-2021-27365) kwikhowudi yenkqubo esezantsi ye-iSCSI Linux kernel ukuba ivumela umsebenzisi wasekhaya ongenalungelo lokusebenzisa ikhowudi kwinqanaba le-kernel kunye nokufumana amalungelo kwiingcambu kwinkqubo.
Ingxaki ibangelwa yi-bug ekusebenzeni kwemodyuli ye-libiscsi iscsi_host_get_param (), eyaziswa ngo-2006 ngexesha lophuhliso lwenkqubo esezantsi ye-iSCSI. Ngenxa yokunqongophala kolawulo lobungakanani obufanelekileyo, ezinye zeempawu ze-iSCSI, ezinje ngegama lomamkeli okanye igama lomsebenzisi, zinokugqitha kwiPAGE_SIZE (4KB) ixabiso.
Umngcipheko unokuxhatshazwa ngokuthumela imiyalezo yeNetlink ngumsebenzisi ongenalungelo lokuseta iimpawu ze-iSCSI kumaxabiso amakhulu kunePAGE_SIZE. Xa ufunda idatha yedatha ngokusebenzisa ii-sysfs okanye i-seqfs, ikhowudi ibizwa ukuba kudluliswe iimpawu kwi-sprintf ukuze zikhutshelwe kwisilinganisi esiyi-PAGE_SIZE ngobukhulu.
Inkqubo esezantsi ekubhekiswa kuyo yi-SCSI (iNkqubo eNcinci yeKhompyuter yeComputer) yothutho lwedatha, esemgangathweni wokudlulisa idatha eyenziwe ukudibanisa iikhompyuter kwizixhobo zepheripherali, ekuqaleni ngentambo ebonakalayo, enje ngeedrive drive. I-SCSI ngumgangatho ohloniphekileyo owapapashwa okokuqala ngo-1986 kwaye wawungumgangatho wegolide kulungelelwaniso lweseva, kwaye iSCSI sisiseko seSCSI ngaphezulu kweTCP. I-SCSI isasetyenziswa nanamhlanje, ngakumbi kwiimeko ezithile zokugcina, kodwa kwenzeka njani ukuba oku kube yindawo yokuhlasela kwinkqubo engagqibekanga yeLinux?
Ukuxhaphaza ubungozi kulwabiwo kuxhomekeke kwinkxaso yemodyuli ye-kernel scsi_transport_iscsi xa uzama ukwenza isokethi ye-NETLINK_ISCSI.
Kusasazo apho le modyuli ilayisha ngokuzenzekelayo, uhlaselo lunokwenziwa ngaphandle kokusebenzisa ukusebenza kwe-iSCSI. Kwangelo xesha, ekusebenziseni ngempumelelo ukuxhaphaza, ukubhaliswa kwesithuthi esinye se-iSCSI kuyafuneka ukongeza. Ngokulandelayo, ukubhalisa isithuthi, ungasebenzisa imodyuli ye-ib_iser kernel, elayishwa ngokuzenzekelayo xa umsebenzisi ongenalungelo lokuzama ukwenza isiseko seNETLINK_RDMA.
Ukulayisha ngokuzenzekelayo iimodyuli ezifunekayo ukusebenzisa ukuxhaphaza ixhasa i-CentOS 8, RHEL 8, kunye neFedora ngokufaka i-rdma-core package kwinkqubo, Ukuxhomekeka kwezinye iipakeji ezithandwayo kwaye kufakelwe ngokungagqibekanga kulungelelwaniso lwendawo yokusebenza, iinkqubo zeseva nge-GUI kunye nokwenza ubume bendawo yokubamba.
Kwangelo xesha, i-rdma-core ayifakwanga xa usebenzisa iserver yokwakha esebenza kuphela kwimowudi yekhonsoli kwaye xa ufaka umfanekiso omncinci wokufakwa. Umzekelo, iphakheji ifakiwe kwisiseko sokuhanjiswa kweFedora 31, kodwa ayifakwanga kwiFedora 31 Server.
I-Debian kunye ne-Ubuntu azikho semngciphekweni wengxakinjengoko ipakethe ye-rdma-core ilayisha kuphela iimodyuli zekernel ezifunekayo kuhlaselo ukuba izixhobo ze-RDMA ziyafumaneka. Nangona kunjalo, iphakheji ye-Ubuntu esecaleni ibandakanya iphakheji evulekileyo-iscsi, ebandakanya ifayile ye /lib/modules-load.d/open-iscsi.conf yokuqinisekisa ukuba iimodyuli ze-iSCSI zilayishwa ngokuzenzekelayo kuzo zonke iziqalo.
Umzekelo osebenzayo wokuxhaphaza uyafumaneka zama ikhonkco elingezantsi.
Ukuba semngciphekweni kulungiswe kuhlaziyo lwe-Linux kernel 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260, kunye ne-4.4.260. Uhlaziyo lwephakheji yeKernel luyafumaneka kwiDebian (endala), Ubuntu, SUSE / openSUSE, Arch Linux, kunye nokusasazwa kweFedora, ngelixa kungekho zilungiso zikhutshiweyo zeRHEL okwangoku.
Kwakhona, kwinkqubo esezantsi yeSCSI Ubungozi obuncinci obuncinci bulungisiwe oko kunokukhokelela ekuvuzeni kwedatha ye-kernel: I-CVE-2021-27363 (ulwazi oluchaziweyo malunga nenkcazo yezothutho ye-iSCSI nge-sysfs) kunye ne-CVE-2021-27364 (kufundwa kummandla ongaphandle komda we-buffer).
Obu buthathaka bunokuxhatshazwa ukunxibelelana kwisokethi yekhonkco yenethiwekhi kunye nenkqubo esezantsi ye-iSCSI ngaphandle kwamalungelo ayimfuneko. Umzekelo, umsebenzisi ongenalungelo unokuqhagamshela kwi-iSCSI kwaye athumele umyalelo wokuphuma.
Umthombo: https://blog.grimm-co.com