Kutshanje iindaba ziye zaqhekeka kuchongwe ubungozi (CVE-2021-29154) kwinkqubo esezantsi ye-eBPF, ethi pIvumela ukulandela umkhondo, uhlalutyo lwenkqubo esezantsi, kunye nabalawuli bezithuthi ukubaleka ngaphakathi kwe-Linux kernel kumatshini okhethekileyo we-JIT ivumela umsebenzisi wasekhaya ukuba asebenzise ikhowudi yakho kwinqanaba le-kernel.
Ngokwabaphandi abachonge ukuba sesichengeni, babenako ukwenza iprototype esebenzayo yokuxhaphaza kwiinkqubo ezingama-86-bit kunye ne-32-bit x64 ezinokuthi zisetyenziswe ngumsebenzisi ongenalungelo.
Kwangelo xesha I-Red Hat iqaphela ukuba ubuzaza bengxaki buxhomekeke kubukho benkqubo ye-eBPF. yomsebenzisi. Umzekelo, kwi-RHEL kunye nolunye usasazo lweLinux ngokungagqibekanga, ukuba semngciphekweni kunokuxhatshazwa xa iBPF JIT yenziwe kwaye umsebenzisi anamalungelo eCAP_SYS_ADMIN.
Ingxaki ifunyenwe kwi-kernel ye-Linux abanokuyisebenzisa gwenxa
abasebenzisi bendawo abangenalungelo lokunyusa amalungelo.Ingxaki yindlela abahlanganisi beBPF JIT ababala ngayo ezinye izakhiwo
Ukukhutshwa kwesebe xa kuveliswa ikhowudi yomatshini. Oku kunokuxhatshazwa
ukwenza ikhowudi yomatshini engathandekiyo kwaye uyiqhube kwimowudi yekernel,
apho ukuhamba kolawulo kuthinjelwe ukwenza ikhowudi engakhuselekanga.
Kwaye ukuba iinkcukacha ukuba ingxaki ibangelwa yimpazamo eyenziweyo xa kubalwa iseti yemiyalelo yesebe Ngexesha lomhlanganisi weJIT ovelisa ikhowudi yomatshini.
Ngokukodwa, kuyakhankanywa ukuba xa kuveliswa imiyalelo yesebe, ayithathelwa ngqalelo ukuba ukufuduka kunokutshintsha emva kokuhamba kwinqanaba lokuphucula, ke oku kusilela kungasetyenziselwa ukwenza ikhowudi yomatshini engathandekiyo kwaye uyenze kwinqanaba. .
Kufuneka kuqatshelwe ukuba Ayisiyiyo kuphela imeko yokuba sesichengeni kwinkqubo esezantsi ye-eBPF esele yaziwa kwiminyaka yakutshanje, ukusukela ukuphela kuka-Matshi, ezinye iindlela zokuchaphazeleka zichongiwe kwi-kernel (I-CVE-2020-27170, i-CVE-2020-27171), ezibonelela ngesakhono sokusebenzisa i-eBPF ukuze ikwazi ukugqitha kukhuseleko ngokuchasene nokuba semngciphekweni kweklasi yeSpecter, evumela umxholo wenkumbulo ye-kernel ukuba igqitywe kwaye ikhokelela ekudalweni kweemeko zokwenza imisebenzi ethile.
Ukuhlaselwa kweSpecter kufuna ubukho bokulandelelana okuthe ngqo kwemiyalelo kwikhowudi enelungelo, ekhokelela ekuphunyezweni kwemiyalelo yokucinga. Kwi-eBPF, iindlela ezininzi zifunyenwe ukuvelisa loo miyalelo ngokusetyenziswa kweenkqubo zeBPF ezidluliselwe ukwenziwa kwazo.
- Ubungozi be-CVE-2020-27170 bubangelwa sisikhombisi kwi-BPF, ekhokelela kwimisebenzi yokuqikelela ukufikelela kwindawo engaphandle kwe-buffer.
- Ubungozi be-CVE-2020-27171 budibene ne-bug epheleleyo yokuhamba kwamanzi xa usebenza nezikhombisi, ezikhokelela kufikelelo olucingelwayo kwidatha engaphandle kwempazamo.
Le micimbi sele ilungisiwe kwiinguqulelo ze-kernel 5.11.8, 5.10.25, 5.4.107, 4.19.182, kunye ne-4.14.227, kwaye zibandakanyiwe kuhlaziyo lwekernel kunikezelo oluninzi lweLinux. Abaphandi balungiselele uhlobo oluxhaphakileyo oluvumela umsebenzisi ongenalungelo lokufumana idatha kwimemori ye-kernel.
Ngokuphathelele kwisisombululo esinye okucetywayo kwiRed Hat yile:
Uthintelo:
Le ngxaki ayichaphazeli uninzi lweenkqubo ngokungagqibekanga. Umlawuli kuya kufuneka enze ukuba i-BPF JIT ichaphazeleke.
Inokukhubazeka kwangoko ngomyalelo:
# echo 0 > /proc/sys/net/core/bpf_jit_enableOkanye inokukhubazeka kuzo zonke iinkqubo ezilandelayo zeebhuthi ngokumisela ixabiso kwi /etc/sysctl.d/44-bpf -jit-disable
## start file ## net.core.bpf_jit_enable=0</em> end file ##
Gqibela ukuba unomdla wokwazi okungakumbi ngayo malunga nobungozi, ungajonga iinkcukacha kwi eli khonkco lilandelayo.
Kufanelekile ukuba uchaze ukuba ingxaki iyaqhubeka kude kube nguqulo 5.11.12 (ibandakanyiwe) kwaye ayikasonjululwa kuninzi lonikezelo, nangona ulungiso sele lukhona. ifumaneka njengepatch.