Muva nje imininingwane ebalulekile mayelana ukukhonjwa kwe- ukuba sengozini (efakwe kuhlu njenge-CVE-2021-27365) kukhodi yesistimu esezingeni le-iSCSI I-Linux kernel leyo ivumela umsebenzisi wasendaweni ongenalutho ukuthi asebenzise ikhodi ezingeni le-kernel futhi athole amalungelo empande kusistimu.
Inkinga idalwa yisiphazamisi ekusebenzeni kwemodyuli ye-libiscsi iscsi_host_get_param (), eyethulwe emuva ngo-2006 ngenkathi kwenziwa uhlelo olusezingeni le-iSCSI. Ngenxa yokushoda kwezilawuli zokulinganisa kahle, ezinye izici ze-iSCSI, ezifana negama lomethuleli noma igama lomsebenzisi, zingadlula inani le-PAGE_SIZE (4KB).
Ukuba sengozini kungaxhashazwa ngokuthumela imiyalezo yeNetlink ngumsebenzisi ongenalutho osetha izibaluli ze-iSCSI kumanani amakhulu kuno-PAGE_SIZE. Lapho ufunda idatha yemfanelo ngama-sysfs noma ama-seqfs, ikhodi ibizwa ukuthi kudlulise izimfanelo ku-sprintf ukuze zikopishelwe kusigaxa esingu-PAGE_SIZE ngosayizi.
Uhlelo oluthile olukhulunywa ngalo yi-SCSI (Small Computer System Interface) yokuthuthwa kwedatha, okuyisilinganiso sokudlulisa idatha eyenziwe ukuxhuma amakhompyutha kumadivayisi we-peripheral, ekuqaleni ngentambo ebonakalayo, njengama-hard drive. I-SCSI iyizinga elihlonishwayo elashicilelwa ekuqaleni ngo-1986 futhi laliyizinga legolide lokulungiselelwa kweseva, kanti iSCSI ngokuyisisekelo i-SCSI kune-TCP. I-SCSI isasetshenziswa nanamuhla, ikakhulukazi ezimweni ezithile zokugcina, kepha lokhu kuba kanjani yindawo yokuhlasela ohlelweni oluzenzakalelayo lwe-Linux?
Kusizakala ukuba sengozini ekwabiweni kuya ngokusekelwa kwemodyuli ye-kernel autoloading scsi_transport_iscsi lapho uzama ukudala isokhethi ye-NETLINK_ISCSI.
Ekusatshalalisweni lapho le module ilayisha ngokuzenzakalela, ukuhlasela kungenziwa ngaphandle kokusebenzisa ukusebenza kwe-iSCSI. Ngasikhathi sinye, ukuze kusetshenziswe ngempumelelo ukuxhaphaza, ukubhaliswa kokungenani kwesithuthi esisodwa se-iSCSI kuyadingeka ngokungeziwe. Ngokunjalo, ukubhalisa ezokuthutha, ungasebenzisa ib_iser kernel module, elayishwa ngokuzenzakalela lapho umsebenzisi ongenalungelo ezama ukudala isokhethi le-NETLINK_RDMA.
Ukulayisha okuzenzakalelayo kwamamojula adingekayo ukusebenzisa ukuxhaphaza isekela i-CentOS 8, i-RHEL 8, ne-Fedora ngokufaka iphakethe le-rdma-core kusistimu, Okuncike kwamanye amaphakheji athandwayo futhi kufakwa ngokuzenzakalela ekulungisweni kwezindawo zokusebenza, amasistimu we-server ane-GUI nokwenziwa okuhle kwezindawo zokubamba.
Ngasikhathi sinye, i-rdma-core ayifakiwe lapho usebenzisa i-server build esebenza kuphela kwimodi ye-console nalapho ufaka isithombe esincane sokufaka. Isibonelo, iphakethe lifakiwe ekusatshalalisweni kwesisekelo seFedora 31 Workstation, kepha akufakiwe kuFedora 31 Server.
I-Debian ne-Ubuntu abathinteki kakhulu enkingeninjengoba iphakethe le-rdma-core lilayisha kuphela amamojula we-kernel adingekayo ekuhlaselweni uma ngabe i-hardware ye-RDMA itholakala. Kodwa-ke, iphakethe le-Ubuntu eliseceleni kweseva lifaka iphakethe le-open-iscsi, elibandakanya ifayili le / / lib / module-load.d/open-iscsi.conf ukuqinisekisa ukuthi amamojula we-iSCSI alayishwa ngokuzenzakalela kuwo wonke amabhuthi.
Uhlobo olusebenzayo lokuxhaphaza luyatholakala zama isixhumanisi esingezansi.
Ukuba sengozini kulungiswe kuzibuyekezo ze-Linux kernel 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260, naku-4.4.260. Ukuvuselelwa kwephakheji ye-Kernel kuyatholakala ku-Debian (oldstable), Ubuntu, SUSE / openSUSE, Arch Linux, ne-Fedora ukusatshalaliswa, ngenkathi kungekho zilungiso ezikhishiwe ze-RHEL okwamanje.
Futhi, ohlelweni olungaphansi lwe-iSCSI ubungozi obungelula kangako obulungisiwe sebulungisiwe lokho kungaholela ekuvukeni kwedatha ye-kernel: I-CVE-2021-27363 (imininingwane evulekile mayelana nesichazi sokuhamba se-iSCSI nge-sysfs) kanye ne-CVE-2021-27364 (kufundwa kusuka esifundeni esingaphandle kwemingcele ye-buffer).
Lokhu kuba sengozini kungaxhashazwa ukuxhumana ngesokhethi yesixhumanisi senethiwekhi nohlelo olungaphansi lwe-iSCSI ngaphandle kwamalungelo adingekayo. Isibonelo, umsebenzisi ongenalungelo angaxhuma ku-iSCSI futhi athumele umyalo wokuphuma ngemvume.
Umthombo: https://blog.grimm-co.com