Muaj ob qhov tsis zoo uas tau pom hauv Linux kernel. Cov qhov tsis zoo no zoo ib yam li qhov tsis zoo Copy Fail uas tau tshaj tawm ob peb hnub dhau los, tab sis lawv cuam tshuam rau ntau lub subsystems—xfrm-ESP thiab RxRPC. Cov kab ntawm qhov tsis zoo no tau raug codenamed Dirty Frag (tseem hu ua Copy Fail 2). Cov qhov tsis zoo no tso cai rau tus neeg siv tsis muaj cai tau txais cov cai hauv paus los ntawm kev sau cov ntaub ntawv txheej txheem hauv nplooj ntawv cache. Muaj ib qho kev siv tsis raug uas ua haujlwm rau txhua qhov kev faib tawm Linux tam sim no. Qhov tsis zoo no tau tshaj tawm ua ntej cov kho tau tshaj tawm, tab sis muaj kev daws teeb meem.
Dirty Frag npog ob qhov tsis zoo sib txawv: thawj qhov hauv xfrm-ESP module, siv los ua kom IPsec encryption ua haujlwm sai dua siv ESP (Encapsulating Security Payload) protocol, thiab qhov thib ob hauv RxRPC driver, uas siv AF_RXRPC socket tsev neeg thiab RPC protocol ntawm tib lub npe, khiav hla UDP. Txhua qhov tsis zoo, coj sib cais, tso cai rau cov cai hauv paus. Qhov tsis zoo xfrm-ESP tau muaj nyob hauv Linux kernel txij li Lub Ib Hlis 2017, thiab qhov tsis zoo RxRPC tau muaj txij li Lub Rau Hli 2023. Ob qho teeb meem yog tshwm sim los ntawm kev ua kom zoo dua uas tso cai rau sau ncaj qha rau nplooj ntawv cache.
Yuav kom siv tau qhov tsis muaj zog xfrm-ESP, tus neeg siv yuav tsum muaj kev tso cai los tsim cov npe chaw, thiab kom siv tau qhov tsis muaj zog RxRPC, yuav tsum tau thauj cov rxrpc.ko kernel module. Piv txwv li, hauv Ubuntu, cov cai AppArmor tiv thaiv cov neeg siv tsis muaj cai los tsim cov npe chaw, tab sis cov rxrpc.ko module raug thauj los ntawm lub neej ntawd. Qee qhov kev faib tawm tsis muaj cov rxrpc.ko module tab sis tsis thaiv kev tsim cov npe chaw. Tus kws tshawb fawb uas pom qhov teeb meem no tau tsim ib qho kev siv ua ke uas muaj peev xwm tawm tsam lub kaw lus los ntawm ob qho kev tsis muaj zog, ua rau nws muaj peev xwm siv qhov teeb meem ntawm txhua qhov kev faib tawm loj. Qhov kev siv tsis raug tau lees paub tias ua haujlwm rau Ubuntu 24.04.4 nrog kernel 6.17.0-23, RHEL 10.1 nrog kernel 6.12.0-124.49.1, openSUSE Tumbleweed nrog kernel 7.0.2-1, CentOS Stream 10 nrog kernel 6.12.0-224, AlmaLinux 10 nrog kernel 6.12.0-124.52.3, thiab Fedora 44 nrog kernel 6.19.14-300.
Ib yam li qhov tsis muaj zog ntawm Copy Fail, cov teeb meem hauv xfrm-ESP thiab RxRPC yog tshwm sim los ntawm kev siv cov ntaub ntawv decryption siv lub splice() function, uas hloov cov ntaub ntawv ntawm cov ntaub ntawv piav qhia thiab cov kav dej yam tsis tau theej, los ntawm kev xa cov ntaub ntawv mus rau cov ntsiab lus hauv nplooj ntawv cache. Cov kev sau offsets tau suav tsis muaj kev kuaj xyuas kom zoo los suav nrog kev siv cov ntaub ntawv ncaj qha mus rau cov ntsiab lus hauv nplooj ntawv cache, tso cai rau cov lus thov tshwj xeeb los sau dua 4 bytes ntawm qhov offset thiab hloov kho cov ntsiab lus ntawm cov ntaub ntawv hauv nplooj ntawv cache.
Txhua txoj haujlwm nyeem cov ntaub ntawv yuav rov qab tau cov ntsiab lus los ntawm nplooj ntawv cache ua ntej. Yog tias cov ntaub ntawv hauv nplooj ntawv cache raug hloov kho, cov haujlwm nyeem cov ntaub ntawv yuav rov qab cov ntaub ntawv hloov pauv, tsis yog cov ntaub ntawv tiag tiag khaws cia rau ntawm lub tsav. Kev siv qhov tsis muaj zog no tsuas yog hloov kho nplooj ntawv cache rau cov ntaub ntawv executable nrog lub cim suid root. Piv txwv li, kom tau txais cov cai hauv paus, ib tus tuaj yeem nyeem cov ntaub ntawv executable /usr/bin/su kom muab tso rau hauv nplooj ntawv cache, thiab tom qab ntawd hloov lawv tus kheej cov lej rau hauv cov ntsiab lus ntawm cov ntaub ntawv no uas tau thauj mus rau hauv nplooj ntawv cache. Kev ua tiav tom qab ntawm "su" utility yuav ua rau daim ntawv theej hloov kho los ntawm nplooj ntawv cache raug thauj mus rau hauv lub cim xeeb, tsis yog cov ntaub ntawv executable thawj los ntawm lub tsav.
Kev tshaj tawm qhov tsis muaj zog thiab kev sib koom ua ke tso tawm cov kho tau teem sijhawm rau lub Tsib Hlis 12, tab sis vim muaj qhov xau, cov ntaub ntawv tsis muaj zog yuav tsum tau tshaj tawm ua ntej cov kho tau tso tawm. Thaum kawg ntawm lub Plaub Hlis, cov kho rau rxrpc, ipsec, thiab xfrm tau tshaj tawm rau hauv daim ntawv xa ntawv pej xeem netdev yam tsis tau hais tias lawv muaj feem cuam tshuam nrog qhov tsis muaj zog. Thaum Lub Tsib Hlis 5, tus neeg saib xyuas IPsec subsystem tau txais kev hloov pauv rau netdev Git repository nrog kev kho uas tau pom zoo hauv xfrm-esp module. Cov lus piav qhia ntawm kev hloov pauv feem ntau zoo ib yam li cov lus piav qhia ntawm qhov teeb meem uas ua rau muaj qhov tsis muaj zog Copy Fail hauv algif_aead module. Ib tus kws tshawb fawb kev ruaj ntseg tau txaus siab rau qhov kev kho no, tswj hwm los tsim ib qho kev siv tsis raug, thiab tshaj tawm nws, tsis paub tias muaj kev txwv tsis pub tshaj tawm cov ntaub ntawv txog qhov teeb meem txog rau lub Tsib Hlis 12.
Cov kev hloov tshiab nrog kev kho rau Linux kernel thiab kernel pob khoom hauv kev faib tawm tseem tsis tau tshaj tawm, tab sis cov kho uas daws cov teeb meem muaj - xfrm-esp thiab rxrpc. CVE identifiers tsis tau muab, uas ua rau kev taug qab cov pob khoom hloov tshiab hauv kev faib tawm nyuaj. Ua ib qho kev daws teeb meem, koj tuaj yeem thaiv kev thauj khoom ntawm esp4, esp6, thiab rxrpc kernel modules: sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"
Tau qhov twg los: opennet.ru
