An gano wani rauni (CVE-2021-29154) a cikin tsarin eBPF, wanda ke ba ku damar gudanar da masu aiki don ganowa, nazarin aikin tsarin tsarin da sarrafa zirga-zirga, wanda aka kashe a cikin Linux kernel a cikin injin kama-da-wane na musamman tare da JIT, wanda ke ba da damar mai amfani na gida don cimma nasarar aiwatar da lambar su a matakin kernel. Matsalar ta bayyana har zuwa sakin 5.11.12 (haɗe) kuma har yanzu ba a daidaita shi ba a cikin rarraba (Debian, Ubuntu, RHEL, Fedora, SUSE, Arch). Ana samun gyara azaman faci.
A cewar masu binciken da suka gano raunin, sun sami damar samar da samfurin aiki na amfani don tsarin 32- da 64-bit x86, wanda mai amfani mara amfani zai iya amfani da shi. Koyaya, Red Hat ya lura cewa tsananin matsalar ya dogara akan ko kiran tsarin eBPF yana samun dama ga mai amfani. Misali, akan RHEL da galibin sauran rabe-raben Linux a cikin tsayayyen tsari, ana iya amfani da raunin rauni idan an kunna BPF JIT kuma mai amfani yana da haƙƙin CAP_SYS_ADMIN. A matsayin madaidaicin aiki, ana ba da shawarar kashe BPF JIT ta amfani da umarnin: echo 0> /proc/sys/net/core/bpf_jit_enable
Matsalar tana faruwa ne ta hanyar kuskure wajen ƙididdige abin da aka biya don umarnin reshe yayin aikin samar da lambar injin na JIT compiler. Musamman, lokacin samar da umarnin reshe, baya la'akari da cewa kashewa na iya canzawa bayan wucewa ta matakin ingantawa. Ana iya amfani da wannan aibi don samar da lambar injin da ba ta dace ba kuma a aiwatar da shi a matakin kernel.
Abin lura ne cewa wannan ba shine kawai rauni a cikin tsarin eBPF kwanan nan ba. A ƙarshen Maris, an gano ƙarin lahani guda biyu a cikin kwaya (CVE-2020-27170, CVE-2020-27171), yana ba da damar yin amfani da eBPF don ketare kariya daga raunin aji na Specter, wanda ke ba da damar tantance abubuwan da ke cikin ƙwaƙwalwar kernel. a sakamakon samar da yanayi na hasashe na aiwatar da wasu ayyuka . Harin Specter yana buƙatar kasancewar wasu jerin umarni a cikin lambar gata wanda ke haifar da hasashe na aiwatar da umarni. A cikin eBPF, an samo hanyoyi da yawa don samar da irin waɗannan umarni ta hanyar magudi tare da shirye-shiryen BPF da aka watsa don aiwatarwa.
Rashin lahani na CVE-2020-27170 yana faruwa ne ta hanyar magudin manuniya a cikin mai tabbatarwa na BPF wanda ke haifar da hasashe don isa ga wani yanki da ke wajen iyakokin buffer. Rashin lahani CVE-2020-27171 ya faru ne saboda kuskuren shiga lamba yayin aiki tare da masu nuni, yana haifar da hasashe damar samun bayanai a wajen ma'ajin. An riga an gyara waɗannan matsalolin a cikin sakin kernel 5.11.8, 5.10.25, 5.4.107, 4.19.182 da 4.14.227, kuma an haɗa su cikin sabuntawar kwaya don yawancin rarrabawar Linux. Masu bincike sun shirya wani samfurin amfani wanda zai ba mai amfani mara gata damar cire bayanai daga ƙwaƙwalwar kernel.
source: budenet.ru