I roto i te pūnaha iti eBPF, e āhei ai koe ki te whakahaere i ngā kaiwhakahaere mō te whai, te tātari i te mahi a te pūnaha iti me te whakahaere waka, e whakahaerehia ana i roto i te kernel Linux I kitea tētahi ngoikoretanga (CVE-2021-29154) i roto i tētahi mīhini mariko motuhake me te JIT, e āhei ai tētahi kaiwhakamahi ā-rohe ki te whakahaere i tā rātou ake waehere i te taumata kernel. Kei te mau tonu te raruraru tae noa ki te tukunga 5.11.12, ā, kāore anō kia whakatikahia i roto i ngā tohatoha (Debian, Ubuntu, RHEL, Fedora, SUSE, Arch). Kei te wātea te whakatikatika hei papaki.
E ai ki ngā kairangahau i kitea te ngoikoretanga, kua whakawhanakehia e rātou he tauira whakamahi mahi mō ngā pūnaha x86 32- me te 64-bit ka taea te whakamahi e te kaiwhakamahi kāore i te whai mana. E kī ana a Red Hat ko te kaha o te raruraru e whakawhirinaki ana ki te kaiwhakamahi e uru atu ana ki te karanga pūnaha eBPF. Hei tauira, i roto i te RHEL me te nuinga o ngā tohatoha atu. Linux I te whirihoranga taunoa, ka taea te whakamahi i te ngoikoretanga mēnā ka whakahohea te BPF JIT, ā, kei te kaiwhakamahi ngā mana CAP_SYS_ADMIN. Hei huarahi whakaoti, me whakakore te BPF JIT mā te whakamahi i te whakahau: echo 0 > /proc/sys/net/core/bpf_jit_enable
Ko te raruraru i puta mai i te hapa i te tatau i te waahi mo nga tohutohu manga i te wa o te tukanga whakaputa waehere miihini o te JIT compiler. Ina koa, i te wa e whakaputa ana i nga tohutohu peka, karekau e whai whakaaro ka huri pea te wehenga i muri i te paahitanga o te wahanga arotautanga. Ka taea te whakamahi i tenei koha ki te whakaputa i te waehere miihini rerekee me te mahi i te taumata kernel.
Ko te mea nui ehara tenei anake i te whakaraeraetanga i roto i te punaha iti eBPF inaianei. I te mutunga o Poutu-te-rangi, e rua atu nga whakaraeraetanga i kitea i roto i te kakano (CVE-2020-27170, CVE-2020-27171), ka taea te whakamahi eBPF ki te karo i te whakamarumaru ki nga whakaraeraetanga o te karaehe Specter, e taea ai te whakatau i nga ihirangi o te mahara kernel. na te hanga tikanga mo te whakatinanatanga o etahi mahi. Ko te whakaekenga a Specter e hiahia ana kia tae mai tetahi raupapa o nga whakahau i roto i te waehere whaimana e arahi ana ki te whakatinanatanga o nga tohutohu. I roto i te eBPF, he maha nga huarahi kua kitea ki te whakaputa i nga tohutohu penei ma te raweke me nga kaupapa BPF i tukuna mo te mahi.
Ko te ngoikore o te CVE-2020-27170 i puta mai i ngā whakarerekētanga tohu i roto i te manatoko BPF, ka puta ai ngā urunga whakapae ki waho o ngā rohe. Ko te ngoikore o te CVE-2020-27171 e pā ana ki te hapa rerenga tauoti i te wā e whakahaere ana i ngā tohu, ka puta ai ngā urunga whakapae ki waho o ngā rohe. Kua whakatikahia ēnei take i roto i ngā putanga kernel 5.11.8, 5.10.25, 5.4.107, 4.19.182, me 4.14.227, ā, kei roto hoki i ngā whakahoutanga kernel mō te nuinga o ngā tohatoha. LinuxKua whakawhanakehia e ngā kairangahau tētahi tauira whakamahi e taea ai e tētahi kaiwhakamahi kāore i te whai mana te tango raraunga mai i te mahara kernel.
Source: opennet.ru
