Izolo sipapashe apha kwibhlog iindaba malunga UAya, ilayibrari yokudala abaqhubi be-eBPF eRust kwaye kukuba injongo yoku kukwenza abaqhubi abakhuselekileyo ngakumbi okanye Iprojekthi yeProssimo yokuqinisekisa inkumbulo yeLinux kernel kunye neRust (iiprojekthi ezimbini ezinkulu eziza kunika okuninzi ukuba uthethe ngazo kwezi nyanga zilandelayo).
Kwaye oko kwisithuba sexesha elifutshane, ubuthathaka obahlukeneyo buxeliwe apho ku thatha ithuba le-bugs kwi-eBPF Kwaye ngumba apho abaphuhlisi be-kernel bengayekanga ukusebenza kwaye mhlawumbi iRust sisisombululo.
Isizathu sokuchukumisa kwesi sihloko kukuba kutsha nje kukhutshwe iindaba zokuba bachongiwe "Obunye" ubungozi kwiKernel kernel (I-CVE-2021-33624) ye ukudlula kukhuseleko ngokuchasene nokuba sesichengeni kodidi lweSpecial Kuba oku kuvumela ukusebenzisa inkqubo esezantsi ye-eBPF ukuze ikwazi ukumisela umxholo wenkumbulo njengesiphumo sokwenza iimeko zokuqikelela ukwenziwa kwemisebenzi ethile.
Kukhankanyiwe ukuba semngciphekweni kubangelwa kukusilela kumqinisekisi, osetyenziselwa ukukhangela iimpazamo kunye nomsebenzi ongafanelekanga kwiinkqubo zeBPF. Uqinisekiso luluhlu lweendlela ezinokubakho zekhowudi, kodwa uyatyeshela naziphi na iindlela zokukhetha isebe ezingasasebenziyo ngokwembono yomyalelo osetiweyo wolwakhiwo lweesemantiki.
Xa kuqhutywa inkqubo ye-BPF, iindlela zokukhetha amasebe ezingakhange zithathelwe ingqalelo ngumqinisekisi zinokuxelwa kwangaphambili ngokungalunganga ngumqhubekekisi kwaye zenziwe ngendlela yokuqikelela.
Kwiinkqubo ezichaphazelekayo, inkqubo ye-BPF engakhuselekanga inokusebenzisa okusemngciphekweni wokucoca imixholo yenkumbulo ye-kernel (kunye nayo yonke imemori ebonakalayo) ngejelo elisecaleni.
Ngokomzekelo, xa uhlalutya umsebenzi "umthwalo", umqinisekisi uthatha ukuba imiyalelo isebenzisa irejista ngedilesi enexabiso elihlala lihleli ngaphakathi kwemida echaziweyo, kodwa umhlaseli angenza iimeko phantsi kwayo iprosesa iya kuthi izame ukwenza intengiso nedilesi engahambelaniyo nemiqathango yokuqinisekisa.
Ukuhlaselwa kweSpecter ifuna ubukho beskripthi esithile kwikhowudi yelungelo, ekhokelela ekwenziweni kwengqikelelo yomyalelo. Ngokukhohlisa iinkqubo ze-BPF ezidluliselwe ukwenziwa, kunokwenzeka ukuba kuveliswe loo miyalelo kwi-eBPF kwaye ucofe imixholo yenkumbulo ye-kernel kunye neendawo ezingenaxanasi zememori ebonakalayo ngemijelo esecaleni.
Kwakhona, unokumakisha inqaku malunga nefuthe lokusebenza yeeasethi ukukhusela ngokuchasene nodidi lokujonga ubungozi.
Eli nqaku lishwankathela iziphumo Ukulungiswa kwe-debugger rr (Rekhoda kwaye uphinde udlale), yakuba yenziwe yiMozilla ukulungisa iimpazamo ekunokuphindwa kuzo kwiFirefox. Ukugcina iicingo kwinkqubo yokufowuna esetyenziselwa ukuqinisekisa ubukho bezikhombisi kunciphise ukusebenza kwe "rr source" yeprojekthi yovavanyo ukusukela kwimizuzu emi-3 kwimizuzwana eli-19 ukuya kwimizuzwana engama-36.
Umbhali osebenzayo wenze isigqibo sokujonga izotshintsha kangakanani ukusebenza emva kokukhubaza ukukhuselwa kweSpecter. Emva kokuqalisa inkqubo kunye neparameter "mitigations = off", ixesha lokuphunyezwa "kwemithombo ye-rr" ngaphandle kokucwangciswa kwaba yimizuzu emi-2 imizuzwana emi-5 (amaxesha angama-1.6 ngokukhawuleza) kunye nokwenza ngcono imizuzwana engama-33 (9% ngokukhawuleza).
Okumangalisayo kukuba Ukukhubaza ukukhuselwa kweSpecter kungekuphela nje ukunciphisa ixesha lokubaleka yekhowudi yenqanaba lekernel kumaxesha angama-1.4 (ukusuka kwi-2 min 9s ukuya kwi-1 min 32s), ikwanciphise ixesha lokuphumeza kwisithuba somsebenzisi (ukusuka kwi-1 min 9s ukuya kwi-33s), ngenxa yokuncipha kwe-CPU cache kunye ne-TLB isetiwe kwakhona xa kukhuselwa iSpecter.
Ingxaki ivele okoko kukhutshwe i-4.15 kernel kunye iye yalungiswa ngohlobo lweepatchesOkwangoku akufikanga konke ukuhanjiswa, kuyacetyiswa kubasebenzisi ukuba kwezi ntsuku benza uhlaziyo olufanelekileyo kwakamsinya emva kokufumana izaziso.
Si ufuna ukwazi ngakumbi ngayo, ungajonga iinkcukacha Kule khonkco ilandelayo.