Ofufuza zachitetezo ochokera ku Qualys awulula tsatanetsatane wa zovuta ziwiri zomwe zimakhudza kernel ya Linux ndi systemd system manager. Chiwopsezo cha kernel (CVE-2021-33909) chimalola wogwiritsa ntchito wamba kuti akwaniritse ma code omwe ali ndi ufulu wa mizu kudzera m'malo omwe ali ndi zisa.
Kuopsa kwa chiwopsezo kumakulitsidwa chifukwa chakuti ofufuzawo adatha kukonzekera ntchito zomwe zimagwira ntchito pa Ubuntu 20.04 / 20.10 / 21.04, Debian 11 ndi Fedora 34 mu kasinthidwe kosasintha. Zimadziwika kuti kugawa kwina sikunayesedwe, koma mwachidziwitso kumakhudzidwanso ndi vutoli ndipo kumatha kuwukiridwa. Khodi yonse ya zochitikazo ikulonjezedwa kuti idzasindikizidwa pambuyo poti vutoli litathetsedwa paliponse, koma pakali pano pali chiwonetsero chazochepa cha ntchito zomwe zilipo, zomwe zimapangitsa kuti dongosololi liwonongeke. Vutoli lakhalapo kuyambira Julayi 2014 ndipo limakhudza kutulutsidwa kwa kernel kuyambira 3.16. Kukonzekera kwachiwopsezo kudalumikizidwa ndi anthu ammudzi ndikuvomerezedwa mu kernel pa Julayi 19th. Zogawa zazikulu zapanga kale zosintha pamaphukusi awo a kernel (Debian, Ubuntu, Fedora, RHEL, SUSE, Arch).
Chiwopsezochi chimayamba chifukwa cholephera kuyang'ana zotsatira za size_t to int kutembenuka musanagwire ntchito mu seq_file code, yomwe imapanga mafayilo kuchokera mndandanda wamarekodi. Kulephera kuyang'ana kungapangitse kuti malire alembedwe ku buffer popanga, kuyika, ndikuchotsa chikwatu chomwe chili ndi zisa (kukula kwanjira kuposa 1 GB). Zotsatira zake, wowukira amatha kupeza chingwe cha 10-byte "// kufufutidwa" cholembedwa pagawo la "-2 GB - 10 byte" cholozera kudera lomwe lisanachitike buffer yomwe idaperekedwa.
Kugwiritsa ntchito kokonzekera kumafuna 5 GB ya kukumbukira ndi ma 1 miliyoni ma inode aulere kuti agwire ntchito. Ntchitoyi imagwira ntchito poyimba mkdir() kuti ipange olamulira ang'onoang'ono miliyoni miliyoni kuti akwaniritse kukula kwa fayilo kupitilira 1 GB. Chikwatuchi chimayikidwa kudzera pa bind-mount mu malo osiyana, pambuyo pake rmdir() ntchito imayendetsedwa kuti ichotse. Mofananamo, ulusi umapangidwa womwe umanyamula pulogalamu yaying'ono ya eBPF, yomwe imatsekedwa pa siteji pambuyo poyang'ana pseudocode ya eBPF, koma isanapangidwe JIT.
M'malo osavomerezeka a dzina la ogwiritsa ntchito, fayilo /proc/self/mountinfo imatsegulidwa ndipo dzina lalitali lachikwatu chomangika limawerengedwa, zomwe zimapangitsa kuti chingwe "//chichotsedwe" chilembedwe kuderali isanayambe buffer. Malo olembera mzerewo amasankhidwa kuti alembenso malangizo omwe ayesedwa kale koma omwe sanapangidwebe pulogalamu ya eBPF.
Kenako, pamlingo wa pulogalamu ya eBPF, kulemba kosalamulirika kwakunja kumasinthidwa kukhala luso lowongolera kuwerenga ndi kulemba kumagulu ena a kernel kudzera mukusintha kwa btf ndi map_push_elem. Zotsatira zake, kugwiritsira ntchito kumatsimikizira malo a modprobe_path[] buffer mu kernel memory ndikulemba "/ sbin / modprobe" njira mmenemo, zomwe zimakulolani kuti muyambe kuyambitsa fayilo iliyonse yomwe ingathe kuchitidwa ndi ufulu wa mizu ngati request_module() call, yomwe imachitidwa, mwachitsanzo, popanga netlink socket.
Ochita kafukufuku amapereka njira zingapo zogwirira ntchito zomwe zimagwira ntchito pokhapokha, koma osathetsa vutoli palokha. Ndibwino kuti muyike "/proc/sys/kernel/unprivileged_userns_clone" ku 0 kuti mulepheretse mayendedwe okwera mu ID yosiyana, ndi "/proc/sys/kernel/unprivileged_bpf_disabled" ku 1 kuletsa kutsitsa mapulogalamu a eBPF mu kernel.
Ndizofunikira kudziwa kuti pofufuza njira ina yomwe ikukhudzana ndi kugwiritsa ntchito makina a FUSE m'malo momanga-mound kuti akhazikitse chikwatu chachikulu, ofufuzawo adakumana ndi chiopsezo china (CVE-2021-33910) chokhudza systemd system manager. Zinapezeka kuti poyesa kuyika chikwatu chokhala ndi kukula kwa njira yopitilira 8 MB kudzera pa FUSE, njira yoyambira yoyang'anira (PID1) imasowa kukumbukira ndi kuwonongeka, zomwe zimapangitsa kuti dongosololi likhale "mantha".
Vuto ndiloti systemd imatsata ndikugawa zomwe zili mu / proc/self/mountinfo, ndikusintha malo aliwonse okwera mu unit_name_path_escape () ntchito, yomwe imagwira ntchito ya strdupa () yomwe imayika deta pa stack m'malo mokumbukira zomwe zagawika. . Popeza kuchuluka kwa stack ndikokwanira kudzera pa RLIMIT_STACK, kukonza njira yayikulu kwambiri yopita kumalo okwera kumapangitsa kuti PID1 iwonongeke ndikuyimitsa makinawo. Kuti muwukire, mutha kugwiritsa ntchito gawo losavuta la FUSE kuphatikiza kugwiritsa ntchito chikwatu chokhala ndi zisa ngati malo okwera, kukula kwake komwe kumapitilira 8 MB.
Vutoli lakhala likuwonekera kuyambira systemd 220 (April 2015), yakhazikitsidwa kale m'malo akuluakulu a systemd ndikuyika magawo (Debian, Ubuntu, Fedora, RHEL, SUSE, Arch). Makamaka, pakutulutsa kwa systemd 248 kugwiritsa ntchito sikugwira ntchito chifukwa cha cholakwika mu coded chomwe chimapangitsa kuti /proc/self/mountinfo kulephera. Ndizosangalatsanso kuti mu 2018, zinthu zofananira zidabuka ndipo poyesa kulemba chiwopsezo cha CVE-2018-14634 pachiwopsezo cha Linux kernel, ofufuza a Qualys adakumana ndi zovuta zitatu mu systemd.
Source: opennet.ru