An gano sabbin lahani guda biyu a cikin tsarin tsarin eBPF, wanda ke ba ku damar gudanar da masu aiki a cikin kernel na Linux a cikin na'ura ta musamman tare da JIT. Dukkan lahani biyu suna ba da damar aiwatar da lambar ku tare da haƙƙin kwaya, a wajen keɓaɓɓen injin eBPF. Ƙungiyar Zero Day Initiative ta buga bayanai game da matsalolin, wanda ke gudanar da gasar Pwn2Own, a cikin wannan shekara an nuna hare-haren uku akan Ubuntu Linux waɗanda suka yi amfani da raunin da ba a san su ba (ko raunin da ke cikin eBPF yana da alaƙa da waɗannan hare-haren ba a ba da rahoton ba) .
- CVE-2021-3490 - Rashin lahani yana faruwa ne sakamakon rashin duban 32-bit daga kan iyaka lokacin yin ayyukan bitwise AND, KO, da XOR a cikin eBPF ALU32. Mai hari zai iya yin amfani da wannan kuskuren don karantawa da rubuta bayanai a wajen iyakokin da aka keɓe. Matsalar ayyukan XOR tana bayyana farawa daga sigar kernel 5.7-rc1, da AND da OR - farawa daga 5.10-rc1.
- CVE-2021-3489 - Rashin lahani yana haifar da kuskure a cikin aiwatar da buffer na zobe kuma saboda gaskiyar cewa aikin bpf_ringbuf_reserve bai bincika yiwuwar cewa girman yankin ƙwaƙwalwar ajiya da aka ware zai iya zama ƙasa da ainihin girman girman. na ringbuf. Matsalar tana bayyana tun lokacin da aka saki 5.8-rc1.
Za'a iya bin diddigin yanayin rashin lahani a cikin rabawa akan waɗannan shafuka: Ubuntu, Debian, RHEL, Fedora, SUSE, Arch). Hakanan ana samun gyare-gyare azaman faci (CVE-2021-3489, CVE-2021-3490). Ko za a iya amfani da batun ya dogara da ko kiran tsarin eBPF yana samun dama ga mai amfani. Misali, a cikin tsayayyen tsari a cikin RHEL, cin gajiyar rashin lahani yana buƙatar mai amfani ya sami haƙƙin CAP_SYS_ADMIN.
Na dabam, zamu iya lura da wani rauni a cikin Linux kernel - CVE-2021-32606, wanda ke ba mai amfani da gida damar haɓaka gatansu zuwa matakin tushen. Matsalar ta bayyana tun daga Linux kernel 5.11 kuma yana haifar da yanayin tsere a cikin aiwatar da ka'idar CAN ISOTP, wanda ya sa ya yiwu a canza ma'auni na ɗaurin soket saboda rashin saita makullin da ya dace a cikin aikin isotp_setsockot () lokacin sarrafa tutar CAN_ISOTP_SF_BROADCAST.
Bayan an rufe soket ɗin ISOTP, ɗaure zuwa soket ɗin mai karɓa ya ci gaba da aiki, wanda zai iya ci gaba da yin amfani da sifofin da ke da alaƙa da soket bayan an saki ƙwaƙwalwar da ke da alaƙa da su (amfani-bayan-free saboda kiran zuwa isotp_rcv () samun dama ga tsarin isotp_sock wanda ya riga ya kasance). Ta hanyar sarrafa bayanai, zaku iya soke mai nuni zuwa aikin sk_error_report() kuma aiwatar da lambar ku a matakin kernel.
source: budenet.ru