Muva nje, kukhishwe izindaba zokuthi kutholwe ubungozi obuningi obuthathwa buyingozi ku-linux kernel futhi okuvumela umsebenzisi wendawo ukuthi aphakamise amalungelo akhe ohlelweni.
Esokuqala sobuthakathaka si I-CVE-2022-0995 futhi kuba ekhona ohlelweni olungaphansi lokulandelela umcimbi "watch_queue" futhi lokhu kubangela ukuthi idatha ibhalwe endaweni yememori ye-kernel ngaphandle kwebhafa eyabelwe. Ukuhlasela kungenziwa yinoma yimuphi umsebenzisi ngaphandle kwamalungelo futhi ikhodi yakhe yenziwe ngamalungelo e-kernel.
Ukuba sengozini kukhona kumsebenzi we-watch_queue_set_size() futhi kuhlotshaniswa nomzamo wokusula zonke izikhombi ohlwini, noma zinganikezwanga inkumbulo. Inkinga izibonakalisa lapho kwakhiwa i-kernel ngenketho ethi "CONFIG_WATCH_QUEUE=y", esetshenziswa iningi le-Linux ukusatshalaliswa.
Kushiwo ukuthi ukuba sengozini kwaxazululeka oshintshweni olungezwe ku kernel ngoMashi 11.
Ukuba sengozini kwesibili okwadalulwa yi I-CVE-2022-27666 yini ekhona kumamojula e-kernel esp4 kanye ne-esp6 esebenzisa ukuguqulwa kwe-Encapsulating Security Payload (ESP) ye-IPsec esetshenziswa lapho kusetshenziswa kokubili i-IPv4 ne-IPv6.
Ukuba sengozini ivumela umsebenzisi wasendaweni onamalungelo ajwayelekile ukuthi abhale phezu kwezinto kumemori ye-kernel futhi aphakamise amalungelo azo ohlelweni. Inkinga ibangelwa ukungafani phakathi kosayizi wememori eyabiwe kanye nedatha etholiwe ngempela, njengoba usayizi omkhulu womlayezo ungadlula umkhawulo kasayizi wememori enikeziwe yesakhiwo se-skb_page_frag_refill.
Kushiwo lokho ukuba sengozini kwalungiswa ku-kernel ngoMashi 7 (kulungiswe ku-5.17, 5.16.15, njll.), kanye i-prototype esebenzayo ishicilelwe kusuka ekuxhashazweni okuvumela umsebenzisi ojwayelekile ukuthi athole ukufinyelela kwezimpande ku-Ubuntu Desktop 21.10 kuzilungiselelo ezizenzakalelayo ku-GitHub.
Kushiwo ukuthi ngezinguquko ezincane, ukuxhaphaza kuzosebenza ku-Fedora naku-Debian. Kufanele kuqashelwe ukuthi ukuxhaphaza kwalungiselelwa umncintiswano we-pwn2own 2022, kodwa iphutha elihlobene likhonjwe futhi lalungiswa abathuthukisi be-kernel, ngakho-ke kwanqunywa ukuthi kudalulwe imininingwane yokuba sengozini.
Obunye ubungozi obudaluliwe yibo I-CVE-2022-1015 y I-CVE-2022-1016 ohlelweni olungaphansi lwe-netfilter kumojula ye-nf_tables ephakela isihlungi sephakethe le-nfttables. Umcwaningi ohlonze lezi zinkinga umemezele ukulungiswa kokusebenza kokusebenza kwabo bobabili ubungozi, okuhlelwe ukuthi kukhishwe ezinsukwini ezimbalwa ngemuva kokukhishwa kwezibuyekezo zephakheji le-kernel.
inkinga yokuqala ivumela umsebenzisi wendawo ongenamalungelo ukuthi afinyelele ukubhala okungaphandle kwemingcele kusitaki. Ukuchichima kwenzeka ekucubungulweni kwezinkulumo ze-nftables ezakheke kahle ezicutshungulwa phakathi nesigaba sokuqinisekisa sezinkomba ezinikezwa umsebenzisi okwazi ukufinyelela imithetho ye-nftables.
Ukuba sengozini kubangelwa eqinisweni lokuthi abathuthukisi basikisela lokho inani elithi "enum nft_registers reg" liyibhayithi eyodwa, ngenkathi uma ukulungiselelwa okuthile kunikwe amandla, umdidiyeli, ngokusho kwe-C89, ungasebenzisa inani lamabhithi angama-32 ngoba. Ngenxa yalokhu kuxaka, usayizi osetshenziselwa ukuhlola nokwaba inkumbulo awuhambisani nosayizi wangempela wedatha esakhiweni, okuholela ekusikeleni kwesakhiwo ezikhombi zesitaki.
Inkinga ingasetshenziswa ukwenza ikhodi ezingeni le-kernel, kodwa ukuhlasela okuphumelelayo kudinga ukufinyelela ku-nftables.
Angatholwa endaweni yamagama yenethiwekhi ehlukile (izikhala zamagama zenethiwekhi) enamalungelo angu-CLONE_NEWUSER noma CLONE_NEWNET (isibonelo, uma ungasebenzisa isiqukathi esingasodwa). Ukuba sengozini futhi kuhlobene eduze nokulungiselelwa okusetshenziswe umdidiyeli, okuthi, isibonelo, anikwe amandla uma kuhlanganiswa kumodi ye-"CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y". Ukuxhashazwa kokuba sengozini kungenzeka njenge-Linux kernel 5.12.
Ukuba sengozini kwesibili kusihlungi se-netfilter kwenzeka lapho ufinyelela indawo yenkumbulo isivele ikhululiwe (use-after-free) kumshayeli we-nft_do_chain futhi ingabangela ukuvuza kwezindawo zenkumbulo ze-kernel ezingase zifundwe ngokushintshanisa izisho ze-nftables futhi zisetshenziswe, isibonelo, ukucacisa amakheli esikhombi ngesikhathi sokuxhashazwa kokuthuthukiswa kokunye ubungozi. Ukuxhashazwa kokuba sengozini kungenzeka njenge-Linux kernel 5.13.
Ubungozi bulungisiwe kuzibuyekezo zokulungisa ze-Kernel ezisanda kukhishwa.