Kutshanje iindaba zavakala ukuba ichonge ubuthathaka obutsha (sele ifakwe kwikhathalogu phantsi kwe-CVE-2021-4204) kwi-subsystem ye-eBPF (ukwenzela utshintsho) ...
Kwaye kukuba i-subsystem ye-eBPF ayiyekanga ukuba yingxaki enkulu yokhuseleko kwi-Kernel kuba ngokulula kuyo yonke i-2021 ubuthathaka obubini bubhengezwe ngenyanga kwaye sithetha ngezinye zazo apha kwibhlog.
Ngokumalunga neenkcukacha zengxaki yangoku, kukhankanyiwe ukuba Ubuthathaka obufunyenweyo buvumela umqhubi ukuba abaleke ngaphakathi kwe-Linux kernel kumatshini okhethekileyo we-JIT wenyani kwaye ovumela umsebenzisi wasekhaya ongenanto ukuba anyuse amalungelo kwaye enze ikhowudi yawo kwinqanaba le-kernel.
Kwinkcazo yengxaki, bayikhankanya loo nto ukuba sesichengeni kungenxa yokuskena okungafanelekanga kweenkqubo ze-eBPF ezigqithiselwe ukwenziwa, ekubeni i-subsystem ye-eBPF ibonelela ngemisebenzi yomncedisi, ukuchaneka kwayo kuhlolwe ngumqinisekisi okhethekileyo.
Obu buthathaka buvumela abahlaseli basekhaya ukuba banyuse amalungelo
Ufakelo lweLinux Kernel oluchaphazelekayo. Umhlaseli kufuneka aqale afumane i
ukukwazi ukuqhuba ikhowudi ngamalungelo aphantsi kwindlela ekujoliswe kuyo
sebenzisa obu buthathaka.Isiphene sikhona ekusingatheni iinkqubo ze-eBPF. Umbuzo iziphumo zokunqongophala kokuqinisekiswa ngokufanelekileyo kweenkqubo ze-eBPF ezibonelelwa ngabasebenzisi ngaphambi kokuba baqhube.
Ngaphandle koko, eminye imisebenzi ifuna ixabiso le PTR_TO_MEM ligqithiswe njengengxoxo kwaye umqinisekisi kufuneka awazi ubungakanani benkumbulo enxulunyaniswa nengxoxo ukunqanda iingxaki zokuphuphuma kwebuffer ezinokubakho.
Ngexesha lemisebenzi bpf_ringbuf_submit kwaye bpf_ringbuf_discard, idatha malunga nobungakanani bememori edlulisiweyo ayixelwa kumqinisekisi (apha kulapho ingxaki iqala khona), umhlaseli athatha ithuba lokusebenzisa ukubhala ngaphezulu iindawo zememori ngaphandle komda webuffer xa kusenziwa ikhowudi ye-eBPF eyenziwe ngokukodwa.
Umhlaseli angasebenzisa obu buthathaka Yandisa amalungelo kwaye wenze ikhowudi kumxholo wekernel. QAPHELA ukuba ibpf engenalungelo ivaliwe ngokungagqibekanga kunikezelo oluninzi.
Kukhankanyiwe ukuba ukuze umsebenzisi enze uhlaselo, umsebenzisi makakwazi ukulayisha inkqubo yakho ye-BPF kunye nonikezelo oluninzi lwamva nje lweLinux vimba oku ngokungagqibekanga (kuquka ukufikelela okungafanelekanga kwi-eBPF ngoku kuthintelwe ngokungagqibekanga kwikernel ngokwayo, ukususela kuguqulelo 5.16).
Umzekelo, kukhankanywa ukuba sesichengeni ingasetyenziswa kuqwalaselo olungagqibekanga kwi unikezelo olusasetyenziswa kwaye ngaphezulu kwako konke ludume kakhulu njengoko lunjalo Ubuntu 20.04 LTS, kodwa kwiimeko ezifana ne-Ubuntu 22.04-dev, i-Debian 11, i-openSUSE 15.3, i-RHEL 8.5, i-SUSE 15-SP4 kunye ne-Fedora 33, ibonisa kuphela ukuba umlawuli usete iparameter. kernel.unprivileged_bpf_disableed ukuya ku-0.
Okwangoku, njengendlela yokusebenza ukubhloka ukuba sesichengeni, kukhankanyiwe ukuba unokuthintela abasebenzisi abangenalungelo ukuba baqhube iinkqubo ze-BPF ngokuqhuba umyalelo kwi-terminal:
sysctl -w kernel.unprivileged_bpf_disabled=1
Okokugqibela, kufanelekile ukuba ikhankanywe ingxaki ivele ukusukela kwiLinux kernel 5.8 kwaye ihlala ingaloshwanga (kubandakanywa noguqulelo 5.16) kwaye yiyo loo nto ikhowudi yokuxhaphaza iya kulibaziseka iintsuku ezisi-7 kwaye iya kupapashwa ngo-12:00 e-UTC, oko kukuthi, nge-18 kaJanuwari 2022.
Ngaloo nto kujongwe ukunika ixesha elaneleyo lokulungisa amabala enziwe afumaneke yabasebenzisi bonikezelo lweLinux olwahlukeneyo ngaphakathi kwamajelo asemthethweni ngamnye kwezi kwaye bobabini abaphuhlisi kunye nabasebenzisi banokulungisa ubuthathaka obuxeliweyo.
Kwabo banomdla wokwazi malunga nobume bokwenziwa kohlaziyo ngokupheliswa kwengxaki kwezinye zezinto eziphambili zokusasazwa, kufuneka bazi ukuba banokulandelwa kula maphepha: Debian, RHEL, USUSE, Fedora, Ubuntu, IArch.
Ukuba ukhona unomdla wokwazi ngakumbi ngayo malunga nenqaku, ungajongana nengxelo yokuqala Kule khonkco ilandelayo.