Muva nje izindaba zikuqedile lokho kwatholakala ukuthi kusengozini (CVE-2021-29154) ohlelweni olungaphansi lwe-eBPF, okuyi-pIvumela ukulandela umkhondo, ukuhlaziywa kwesistimu, nezilawuli zethrafikhi egijima ngaphakathi kwe-Linux kernel emshinini okhethekile we-JIT lokho ivumela umsebenzisi wasendaweni ukuthi asebenzise ikhodi yakho ezingeni le-kernel.
Ngokusho kwabaphenyi abakhombe ukuba sengozini, bakwazile ukwenza uhlobo olusebenzayo lokuxhashazwa kwezinhlelo ezingama-86-bit no-32-bit x64 ezingasetshenziswa ngumsebenzisi ongenalutho.
Ngesikhathi esifanayo, URed Hat uphawula ukuthi ubunzima benkinga buxhomeke ebukhoneni bocingo lohlelo lwe-eBPF. Okomsebenzisi. Isibonelo, ku-RHEL nakwezinye izimpahla eziningi ze-Linux ngokuzenzakalela, ukuba sengozini kungasetshenziswa lapho i-BPF JIT inikwe amandla futhi umsebenzisi enamalungelo we-CAP_SYS_ADMIN.
Kutholwe inkinga ku-Linux kernel abangayisebenzisa kabi
abasebenzisi bendawo abangenalo ilungelo lokukhulisa amalungelo.Inkinga ukuthi abahlanganisi beBPF JIT babala kanjani ezinye izakhiwo
Ukususwa kwegatsha lapho kukhiqizwa ikhodi yomshini. Lokhu kungahlukunyezwa
ukudala ikhodi yomshini engathandeki futhi uyiqhube ngemodi ye-kernel,
lapho ukugeleza kolawulo kudunwe khona ukwenza ikhodi engavikelekile.
Futhi kungenxa yokuthi bayakucacisa lokho inkinga idalwa yiphutha elenziwa lapho kubalwa isamba semiyalo yegatsha ngesikhathi se-JIT compiler ekhiqiza ikhodi yomshini.
Ikakhulukazi, kuyashiwo ukuthi lapho kwenziwa imiyalo yegatsha, akunakwa ukuthi ukufuduka kungashintsha ngemuva kokudlula esigabeni sokusebenzisa, lapho lokhu kwehluleka kungasetshenziswa ukukhiqiza ikhodi yomshini engathandeki futhi uyenze ezingeni le-kernel .
Kumele kuqashelwe ukuthi Lokhu akukhona kuphela ukuba sengozini ohlelweni olungaphansi lwe-eBPF olwaziwa eminyakeni yamuva, kusukela ekupheleni kukaMashi, kutholakala ezinye izingcuphe ezimbili ku-kernel (I-CVE-2020-27170, i-CVE-2020-27171), enikeza amandla okusebenzisa i-eBPF ukuze ikwazi ukweqa ukuvikelwa ebungozini besigaba seSpecter, esivumela okuqukethwe kwememori ye-kernel ukuthi kunqunywe futhi okuholela ekwakhiweni kwezimo zokwenza imisebenzi ethile yokuqagela.
Ukuhlaselwa kweSpecter kudinga ukuba khona kokulandelana okuthile kwemiyalo kukhodi enelungelo, okuholela ekusetshenzisweni kwemiyalo okucatshangwayo. Ku-eBPF, kutholakale izindlela eziningana ukukhiqiza imiyalo enjalo ngokusebenzisa izindlela zeBPF ezidluliselwe ukwenziwa kwazo.
- Ukuba sengozini kwe-CVE-2020-27170 kubangelwa ukukhohlisa kwesikhombi kusihloli se-BPF, okudala ukusebenza kokuqagela ukufinyelela indawo engaphandle kwe-buffer.
- Ukuba sengozini kwe-CVE-2020-27171 kuhlobene ne-bug ephelele yokugeleza lapho isebenza nezikhombi, okuholela ekufinyeleleni okucatshangelwayo kwedatha engaphandle kwe-buffer.
Lezi zinkinga sezivele zilungisiwe kuzinguqulo ze-kernel 5.11.8, 5.10.25, 5.4.107, 4.19.182, ne-4.14.227, futhi zifakiwe kuzibuyekezo ze-kernel zokusabalalisa okuningi kwe-Linux. Abaphenyi balungiselele uhlobo lokuxhaphaza oluvumela umsebenzisi ongenalutho ukuthola idatha kwimemori ye-kernel.
Ngokuqondene nesinye sezixazululo okuphakanyisiwe ngaphakathi kweRed Hat yile:
Ukunciphisa:
Le nkinga ayithinti amasistimu amaningi ngokuzenzakalela. Umlawuli bekufanele ngabe unike amandla i-BPF JIT ukuthi ithinteke.
Kungakhutshazwa ngokushesha ngomyalo:
# echo 0 > /proc/sys/net/core/bpf_jit_enableNoma ingakhutshazwa kuwo wonke amabhuzu wesistimu alandelayo ngokusetha inani ku /etc/sysctl.d/44-bpf -jit-disable
## start file ## net.core.bpf_jit_enable=0</em> end file ##
Okokugcina uma unesifiso sokwazi okwengeziwe ngakho mayelana nalokhu kuba sengozini, ungabheka imininingwane ku- isixhumanisi esilandelayo.
Kuyafaneleka ukusho ukuthi inkinga iqhubeka kuze kube yinguqulo 5.11.12 (ifakiwe) futhi ayikaxazululwa ekusatshalalisweni okuningi, noma ngabe ukulungiswa sekuvele kukhona. itholakala njengesiqeshana.