Kutholwe ubungozi ku-Linux Kernel obusavumela abasebenzisi ukuthi baphakamise amalungelo abo 

Darkcrizt

Imizuzu ye-4

ubungozi

Uma exhashazwa, lawa maphutha angavumela abahlaseli ukuthi bathole ukufinyelela okungagunyaziwe kulwazi olubucayi noma ngokuvamile babangele izinkinga.

Ezinsukwini ezimbalwa ezedlule kwavela lokho Kutholwe ubungozi obubili ama-subsystems we i-linux kernel, I-Netfilter ne-io_uring, evumela umsebenzisi wendawo ukuthi aphakamise amalungelo akhe ohlelweni.

Esokuqala ukuba sengozini. (CVE-2023-32233) etholwe kusistimu engaphansi ye-Netfilter futhi kubangelwa ukufinyelela kwenkumbulo yokusetshenziswa ngemva kwamahhala kumojuli ye-nf_tables, eqinisekisa ukusebenza kwesihlungi sephakethe le-nfttables.

Lesi siphazamisi kungenxa yokuthi i-netfilter nf_tables ivumela ukubuyekeza ukucushwa kwayo ngezicelo zeqoqo lelo qembu ndawonye imisebenzi eminingi eyisisekelo ekuhwebeni kwe-athomu.

Inkinga ikhiqizwe kabusha kuzinguqulo ezihlukahlukene ze-Linux kernel, kuhlanganise ne-Linux 6.3.1 (ukuzinza kwamanje) kanye nokuba sengozini kungaxhashazwa ngokuthumela izicelo eziklanywe ngokukhethekile ukuze kubuyekezwe ukucushwa kwe-nftables. Kushiwo ukuthi ukuhlasela kudinga ukufinyelela kuma-nftables, angatholwa endaweni yamagama yenethiwekhi ehlukile uma unamalungelo okuthi CLONE_NEWUSER, CLONE_NEWNS, noma CLONE_NEWNET (isibonelo, uma ungasebenzisa isiqukathi esingasodwa).

Kulesi siphazamisi, umcwaningi ohlonze inkinga uthembise ukuhlehlisa isonto lonke ukushicilelwa kwemininingwane enemininingwane kanye nesibonelo sokusebenza okusebenzayo okunikeza igobolondo lempande.

Esimeni esithile, isicelo senqwaba esingavumelekile singaqukatha umsebenzi osusa ngokusobala isethi ekhona ye-nft engaziwa elandelwa omunye umsebenzi ozama ukwenza kusethi efanayo engaziwa ye-nft ngemva kokususwa. Kulesi simo esingenhla, isibonelo salokhu kusebenza okungenhla sisusa umthetho okhona we-nft osebenzisa isethi engaziwa ye-nft. Futhi isibonelo sokusebenza kwakamuva umzamo wokususa i-elementi kulelo lungu le-nft elingaziwa ngemva kokuthi amalungu afanayo esusiwe ngokushintshana, umsebenzi wakamuva ungase uzame ukususa ngokusobala lelo lungu le-nft elingaziwa futhi. 

Njengoba sekushiwo ekuqaleni, lokhu bekuyizinsuku ezimbalwa ezedlule futhi ukuxhashazwa nolwazi kwase kudaluliwe. Ukuxhaphaza kanye nemininingwane yakhona ingatholakala kusixhumanisi esilandelayo.

Kutholwe iphutha lesibili, kwaba sengozini (CVE-2023-2598) ku ukuqaliswa kwe-interface ye-asynchronous I/O io_ring kufakwe ku-Linux kernel kusukela kunguqulo 5.1.

Inkinga ibangelwa iphutha kumsebenzi we-io_sqe_buffer_register, ovumela ukufinyelela kumemori ebonakalayo ngaphandle kwemingcele yebhafa eyabiwe ngokwezibalo. Udaba luvela kuphela egatsheni le-6.3 futhi luzolungiswa ekubuyekezweni okulandelayo kwe-6.3.2.

Kushiwo ukuthi umqondo ongemuva kokuzibophezela kwasekuqaleni ukuthi esikhundleni sokuhlukanisa amakhasi amakhulu afakwe kubhafa kokufakiwe ngakunye kwe-bvec, ungaba nokufaka okukodwa kwe-bvec kuzo zonke izingxenye zekhasi ezigcinwe kusigcinasimende. Ngokucacile, uma wonke amakhasi kumephu ye-buffer esebenzisa ukwakheka kwekhasi lokuqala kanye nobude bebhafa ekufakweni okukodwa kwe-bvec esikhundleni sokumepha ikhasi ngalinye ngokwalo.

Ngakho-ke i-bvec izonweba ngale kwekhasi elilodwa elivunyelwe ukulithinta. Kamuva, i-IORING_OP_READ_FIXED kanye ne-IORING_OP_WRITE_FIXED zisivumela ukuthi sifunde futhi sibhale kubhafa (okungukuthi, inkumbulo ekhonjwe yi-bvec) ngokuthanda kwakho. Lokhu kuvumela ukufinyelela kokufunda/ukubhala kumemori ebonakalayo engemuva kwekhasi okuwukuphela kwalo esinalo ngempela.

Ukushicilelwa kobungozi kukhuluma ngezinyathelo zokukhiqiza iphutha:

1. Dala i-memfd
2. Iphutha ekhasini elilodwa kuleso sichazi sefayela
3. Sebenzisa i-MAP_FIXED ukwenza imephu yaleli khasi ngokuphindaphindiwe, ezindaweni ezilandelanayo
4. Bhalisa sonke isifunda osanda kusigcwalisa ngalelo khasi njenge
ibhafa elungisiwe ene-IORING_REGISTER_BUFFERS
5. Sebenzisa i-IORING_OP_WRITE_FIXED ukuze ubhale isigcinalwazi kwelinye ifayela
(OOB ifundiwe) noma i-IORING_OP_READ_FIXED ukuze ufunde idatha kubhafa (
OOB bhala).

Ekugcineni kufanelekile ukusho lokho isivele itholakale  uhlelo lokusebenza lwe-prototype (I-CVE-2023-2598) ukuhlola, okukuvumela ukuthi usebenzise ikhodi enamalungelo e-kernel.

Ukuba sengozini (I-CVE-2023-32233) yalungiswa ekubuyekezeni okungu-6.4-rc futhi ungalandela ukulungiswa kokuba sengozini ekusatshalalisweni emakhasini: DebianUbuntuI-GentooRHELFedoraSUSE/openSUSEArch.


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Unomthwalo wemfanelo ngedatha: AB Internet Networks 2008 SL
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.