ProHoster > ื‘ืœื•ื’ > ื—ื“ืฉื•ืช ื‘ืื™ื ื˜ืจื ื˜ > ืคื’ื™ืขื•ื™ื•ืช ื‘ืชืช-ืžืขืจื›ืช eBPF ืฉืœ ืœื™ื‘ืช ืœื™ื ื•ืงืก

ืคื’ื™ืขื•ื™ื•ืช ื‘ืชืช-ืžืขืจื›ืช eBPF ืฉืœ ืœื™ื‘ืช ืœื™ื ื•ืงืก

ื–ื•ื”ืชื” ืคื’ื™ืขื•ืช (CVE-2021-29154) ื‘ืชืช-ืžืขืจื›ืช eBPF, ื”ืžืืคืฉืจืช ืœื”ืคืขื™ืœ ืžื˜ืคืœื™ื ืœืžืขืงื‘, ื ื™ืชื•ื— ืคืขื•ืœืช ืชืช-ืžืขืจื›ื•ืช ื•ื ื™ื”ื•ืœ ืชืขื‘ื•ืจื”, ื”ืžื‘ื•ืฆืขืช ื‘ืชื•ืš ืœื™ื‘ืช ืœื™ื ื•ืงืก ื‘ืžื›ื•ื ื” ื•ื™ืจื˜ื•ืืœื™ืช ืžื™ื•ื—ื“ืช ืขื JIT, ื”ืžืืคืฉืจืช ืžืฉืชืžืฉ ืžืงื•ืžื™ ื›ื“ื™ ืœื”ืฉื™ื’ ื‘ื™ืฆื•ืข ืฉืœ ื”ืงื•ื“ ืฉืœื• ื‘ืจืžืช ื”ืงืจื ืœ. ื”ื‘ืขื™ื” ืžื•ืคื™ืขื” ืขื“ ืฉื—ืจื•ืจื• ืฉืœ 5.11.12 (ื›ื•ืœืœ) ื•ืขื“ื™ื™ืŸ ืœื ืชื•ืงื ื” ื‘ื”ืคืฆื•ืช (Debian, Ubuntu, RHEL, Fedora, SUSE, Arch). ื”ืชื™ืงื•ืŸ ื–ืžื™ืŸ ื›ืชื™ืงื•ืŸ.

ืขืœ ืคื™ ื”ื—ื•ืงืจื™ื ืฉื–ื™ื”ื• ืืช ื”ืคื’ื™ืขื•ืช, ื”ื ื”ืฆืœื™ื—ื• ืœืคืชื— ืื‘ ื˜ื™ืคื•ืก ืขื•ื‘ื“ ืฉืœ ื”ื ื™ืฆื•ืœ ืขื‘ื•ืจ ืžืขืจื›ื•ืช 32 ื•-64 ืกื™ื‘ื™ื•ืช x86, ืฉื™ื›ื•ืœ ืœืฉืžืฉ ืžืฉืชืžืฉ ื—ืกืจ ื”ืจืฉืื•ืช. ืขื ื–ืืช, Red Hat ืžืฆื™ื™ื ืช ื›ื™ ื—ื•ืžืจืช ื”ื‘ืขื™ื” ืชืœื•ื™ื” ื‘ืฉืืœื” ื”ืื ืฉื™ื—ืช ืžืขืจื›ืช eBPF ื ื’ื™ืฉื” ืœืžืฉืชืžืฉ. ืœื“ื•ื’ืžื”, ื‘-RHEL ื•ื‘ืจื•ื‘ ื”ืคืฆื•ืช ืœื™ื ื•ืงืก ืื—ืจื•ืช ื‘ืชืฆื•ืจืช ื‘ืจื™ืจืช ื”ืžื—ื“ืœ, ื ื™ืชืŸ ืœื ืฆืœ ืืช ื”ืคื’ื™ืขื•ืช ืื BPF JIT ืžื•ืคืขืœ ื•ืœืžืฉืชืžืฉ ื™ืฉ ื–ื›ื•ื™ื•ืช CAP_SYS_ADMIN. ื›ื“ืจืš ืœืขืงื™ืคืช ื”ื‘ืขื™ื”, ืžื•ืžืœืฅ ืœื”ืฉื‘ื™ืช ืืช BPF JIT ื‘ืืžืฆืขื•ืช ื”ืคืงื•ื“ื”: echo 0 > /proc/sys/net/core/bpf_jit_enable

ื”ื‘ืขื™ื” ื ื’ืจืžืช ืžืฉื’ื™ืื” ื‘ื—ื™ืฉื•ื‘ ื”ื”ื™ืกื˜ ืขื‘ื•ืจ ื”ื•ืจืื•ืช ืขื ืฃ ื‘ืžื”ืœืš ืชื”ืœื™ืš ื™ืฆื™ืจืช ืงื•ื“ ื”ืžื›ื•ื ื” ืฉืœ ืžื”ื“ืจ JIT. ื‘ืคืจื˜, ื‘ืขืช ื”ืคืงืช ื”ื•ืจืื•ืช ืกื ื™ืฃ, ื”ื•ื ืื™ื ื• ืœื•ืงื— ื‘ื—ืฉื‘ื•ืŸ ืฉื”ืงื™ื–ื•ื– ืขืฉื•ื™ ืœื”ืฉืชื ื•ืช ืœืื—ืจ ืžืขื‘ืจ ืฉืœื‘ ื”ืื•ืคื˜ื™ืžื™ื–ืฆื™ื”. ื ื™ืชืŸ ืœื”ืฉืชืžืฉ ื‘ืคื’ื ื–ื” ื›ื“ื™ ืœื™ืฆื•ืจ ืงื•ื“ ืžื›ื•ื ื” ื—ืจื™ื’ ื•ืœื”ืคืขื™ืœ ืื•ืชื• ื‘ืจืžืช ื”ืงืจื ืœ.

ืจืื•ื™ ืœืฆื™ื™ืŸ ืฉื–ื• ืœื ื”ืคื’ื™ืขื•ืช ื”ื™ื—ื™ื“ื” ื‘ืชืช-ื”ืžืขืจื›ืช eBPF ืœืื—ืจื•ื ื”. ื‘ืกื•ืฃ ืžืจืฅ ื–ื•ื”ื• ืฉืชื™ ืคืจืฆื•ืช ื ื•ืกืคื•ืช ื‘ืœื™ื‘ื” (CVE-2020-27170, CVE-2020-27171), ืžื” ืฉืžืืคืฉืจ ืœื”ืฉืชืžืฉ ื‘-eBPF ื›ื“ื™ ืœืขืงื•ืฃ ื”ื’ื ื” ืžืคื ื™ ืคืจืฆื•ืช ืžื—ืœืงื•ืช Spectre, ื”ืžืืคืฉืจื•ืช ืœืงื‘ื•ืข ืืช ืชื•ื›ืŸ ื–ื™ื›ืจื•ืŸ ื”ืงืจื ืœ. ื›ืชื•ืฆืื” ืžื™ืฆื™ืจืช ืชื ืื™ื ืœื‘ื™ืฆื•ืข ืกืคืงื•ืœื˜ื™ื‘ื™ ืฉืœ ืคืขื•ืœื•ืช ืžืกื•ื™ืžื•ืช. ืžืชืงืคืช ืกืคืงื˜ืจ ื“ื•ืจืฉืช ื ื•ื›ื—ื•ืช ืฉืœ ืจืฆืฃ ืžืกื•ื™ื ืฉืœ ืคืงื•ื“ื•ืช ื‘ืงื•ื“ ืžื™ื•ื—ืก ืฉืžื•ื‘ื™ืœ ืœื‘ื™ืฆื•ืข ืกืคืงื•ืœื˜ื™ื‘ื™ ืฉืœ ื”ื•ืจืื•ืช. ื‘-eBPF, ื ืžืฆืื• ืžืกืคืจ ื“ืจื›ื™ื ืœื™ืฆื•ืจ ื”ื•ืจืื•ืช ื›ืืœื” ื‘ืืžืฆืขื•ืช ืžื ื™ืคื•ืœืฆื™ื•ืช ืขื ืชื•ื›ื ื™ื•ืช BPF ื”ืžื•ืขื‘ืจื•ืช ืœื‘ื™ืฆื•ืข.

ื”ืคื’ื™ืขื•ืช ืฉืœ CVE-2020-27170 ื ื’ืจืžืช ืขืœ ื™ื“ื™ ืžื ื™ืคื•ืœืฆื™ื” ืฉืœ ืžืฆื‘ื™ืข ื‘ืžืืžืช ื”-BPF ืฉื’ื•ืจืžืช ืœืคืขื•ืœื•ืช ืกืคืงื•ืœื˜ื™ื‘ื™ื•ืช ืœื’ืฉืช ืœืื–ื•ืจ ืžื—ื•ืฅ ืœื’ื‘ื•ืœื•ืช ื”ื—ื™ืฅ. ื”ืคื’ื™ืขื•ืช CVE-2020-27171 ื ื•ื‘ืขืช ืžืฉื’ื™ืืช ื–ืจื™ืžื” ืฉืœ ืžืกืคืจ ืฉืœื ื‘ืขืช ืขื‘ื•ื“ื” ืขื ืžืฆื‘ื™ืขื™ื, ืžื” ืฉืžื•ื‘ื™ืœ ืœื’ื™ืฉื” ืกืคืงื•ืœื˜ื™ื‘ื™ืช ืœื ืชื•ื ื™ื ืžื—ื•ืฅ ืœืžืื’ืจ. ื‘ืขื™ื•ืช ืืœื• ื›ื‘ืจ ืชื•ืงื ื• ื‘ืžื”ื“ื•ืจื•ืช ืœื™ื‘ื” 5.11.8, 5.10.25, 5.4.107, 4.19.182 ื•-4.14.227, ื•ื›ืŸ ื ื›ืœืœื• ื‘ืขื“ื›ื•ื ื™ ืœื™ื‘ื” ืขื‘ื•ืจ ืจื•ื‘ ื”ื”ืคืฆื•ืช ืฉืœ ืœื™ื ื•ืงืก. ื—ื•ืงืจื™ื ื”ื›ื™ื ื• ื ื™ืฆื•ืœ ืื‘ ื˜ื™ืคื•ืก ื”ืžืืคืฉืจ ืœืžืฉืชืžืฉ ื—ืกืจ ื–ื›ื•ื™ื•ืช ืœื—ืœืฅ ื ืชื•ื ื™ื ืžื–ื™ื›ืจื•ืŸ ื”ืœื™ื‘ื”.

ืžืงื•ืจ: OpenNet.ru

ื”ื•ืกืคืช ืชื’ื•ื‘ื”