Masu binciken tsaro daga Qualys sun bayyana cikakkun bayanai game da lahani guda biyu da suka shafi kwayar Linux da mai sarrafa tsarin. Rashin lahani a cikin kernel (CVE-2021-33909) yana bawa mai amfani na gida damar cimma aiwatar da code tare da haƙƙoƙin tushen ta hanyar yin amfani da kundayen adireshi na gida sosai.
Haɗarin rashin lahani yana ƙaruwa da gaskiyar cewa masu binciken sun sami damar shirya abubuwan amfani waɗanda ke aiki akan Ubuntu 20.04/20.10/21.04, Debian 11 da Fedora 34 a cikin saitunan tsoho. An lura cewa ba a gwada sauran rarrabawar ba, amma a ka'idar kuma suna iya fuskantar matsalar kuma ana iya kaiwa hari. An yi alƙawarin buga cikakken lambar abubuwan amfani bayan an kawar da matsalar a ko'ina, amma a yanzu kawai samfurin iyakantaccen aiki yana samuwa, yana haifar da rushewar tsarin. Matsalar tana nan tun Yuli 2014 kuma tana shafar fitar da kwaya daga 3.16. An daidaita gyaran rashin lafiyar tare da al'umma kuma an karɓi shi cikin kwaya a ranar 19 ga Yuli. Babban rabe-raben sun riga sun haifar da sabuntawa ga fakitin kwaya (Debian, Ubuntu, Fedora, RHEL, SUSE, Arch).
Rashin lahani yana faruwa saboda gazawar bincika sakamakon girman_t zuwa jujjuyawar int kafin aiwatar da ayyuka a cikin lambar seq_file, wanda ke ƙirƙirar fayiloli daga jerin bayanai. Rashin dubawa na iya haifar da rubutattun wasiƙar zuwa ga buffer lokacin ƙirƙira, hawa, da share tsarin kundin adireshi (girman hanya sama da 1 GB). Sakamakon haka, mai kai hari zai iya samun kirtani mai 10-byte "// share" da aka rubuta a cikin "-2 GB - 10 bytes" yana nuna yankin da ke gaba da abin da aka keɓe.
Amfanin da aka shirya yana buƙatar 5 GB na ƙwaƙwalwar ajiya da inodes kyauta miliyan 1 don aiki. Amfani yana aiki ta hanyar kiran mkdir() don ƙirƙirar matsayi na kusan kundin adireshi miliyan don cimma girman hanyar fayil ɗin da ya wuce 1 GB. An ɗora wannan kundin adireshi ta hanyar bind-mount a cikin wani wurin sunan mai amfani daban, bayan haka aikin rmdir() yana gudana don cire shi. A layi daya, an ƙirƙiri zaren da ke ɗaukar ƙaramin shirin eBPF, wanda aka toshe a matakin bayan an duba lambar eBPF, amma kafin haɗewar JIT.
A cikin sararin sunan mai amfani mara gata, an buɗe fayil ɗin /proc/self/mountinfo kuma ana karanta doguwar sunan littafin da aka ɗaure, wanda ya haifar da kirtani "// share" ana rubutawa yankin kafin fara buffer. An zaɓi matsayi don rubuta layin don ya sake rubuta umarnin a cikin shirin eBPF da aka riga aka gwada amma har yanzu ba a haɗa shi ba.
Na gaba, a matakin shirin eBPF, rubutun da ba a sarrafa shi ba yana canzawa zuwa ikon sarrafawa don karantawa da rubutawa zuwa wasu sigar kernel ta hanyar yin amfani da tsarin btf da taswirar map_push_elem. Sakamakon haka, amfani yana ƙayyade wurin modprobe_path[] buffer a cikin ƙwaƙwalwar kernel kuma ya sake rubuta hanyar "/ sbin/modprobe" a ciki, wanda ke ba ku damar ƙaddamar da duk wani fayil ɗin da za a iya aiwatarwa tare da haƙƙin tushen a yayin da wani ya faru. request_module() kira, wanda ake aiwatarwa, misali, lokacin ƙirƙirar soket na netlink.
Masu bincike suna ba da hanyoyi da yawa waɗanda ke da tasiri kawai don takamaiman amfani, amma kada ku kawar da matsalar kanta. Ana ba da shawarar saita "/proc/sys/kernel/unprivileged_userns_clone" zuwa 0 don musaki kundin adireshi a cikin keɓantaccen sunan ID mai amfani, da "/proc/sys/kernel/unprivileged_bpf_disabled" zuwa 1 don musaki shirye-shiryen eBPF a cikin kernel.
Abin lura ne cewa yayin da ake nazarin wani harin da ya shafi amfani da tsarin FUSE maimakon ɗaure-mound don hawa babban kundin adireshi, masu binciken sun sami wani rauni (CVE-2021-33910) wanda ke shafar mai sarrafa tsarin tsarin. Ya bayyana cewa lokacin ƙoƙarin hawan kundin adireshi tare da girman hanyar da ya wuce 8 MB ta hanyar FUSE, tsarin ƙaddamarwa na sarrafawa (PID1) ya ƙare daga ƙwaƙwalwar ajiyar ajiya da fashe, wanda ya sanya tsarin a cikin yanayin "firgita".
Matsalar ita ce tsarin da aka tsara da kuma rarraba abubuwan da ke cikin /proc/self/mountinfo, kuma yana aiwatar da kowane batu a cikin aikin unit_name_path_escape(), wanda ke yin aikin strdupa () wanda ke sanya bayanan akan tari maimakon a cikin ƙwaƙwalwar ajiya mai ƙarfi. . Tunda matsakaicin girman tari yana iyakance ta hanyar RLIMIT_STACK, sarrafa babbar hanya zuwa wurin dutse yana haifar da tsarin PID1 don rushewa da dakatar da tsarin. Don kai hari, zaku iya amfani da mafi sauƙin tsarin FUSE a haɗe tare da yin amfani da kundin adireshi mai ƙima a matsayin wurin dutse, girman hanyar wanda ya wuce 8 MB.
Matsalar tana bayyana tun lokacin da tsarin 220 (Afrilu 2015), an riga an gyara shi a cikin babban ma'ajiyar tsarin da aka gyara a cikin rarraba (Debian, Ubuntu, Fedora, RHEL, SUSE, Arch). Musamman, a cikin sigar saki 248 amfani ba ya aiki saboda bug a cikin lambar tsarin da ke haifar da gazawar sarrafa /proc/self/mountinfo. Hakanan yana da ban sha'awa cewa a cikin 2018, irin wannan yanayin ya taso kuma lokacin ƙoƙarin rubuta amfani don raunin CVE-2018-14634 a cikin kernel na Linux, masu binciken Qualys sun gamu da lahani uku masu mahimmanci a cikin tsarin.
source: budenet.ru