Vatsvakurudzi vekuchengetedza kubva kuQualys vakaratidza ruzivo rwekusagadzikana kuviri kunobata Linux kernel uye systemd system maneja. Kusagadzikana mu kernel (CVE-2021-33909) inobvumira mushandisi wemuno kuti aite kodhi kuuraya nekodzero dzemidzi kuburikidza nekunyengedza madhairekitori akaiswa zvakanyanya.
Ngozi yekusagadzikana inowedzerwa nenyaya yekuti vaongorori vakakwanisa kugadzirira mashandiro anoshanda paUbuntu 20.04/20.10/21.04, Debian 11 uye Fedora 34 mune yekumisikidzwa. Zvinocherechedzwa kuti kumwe kugovaniswa hakuna kuedzwa, asi kunotemerwa zvakare kubatwa nedambudziko uye kunogona kurwiswa. Iyo yakazara kodhi yezvakashandiswa inovimbiswa kuburitswa mushure mekunge dambudziko rabviswa kwese kwese, asi ikozvino chete prototype yekushomeka kwekuita inowanikwa, zvichiita kuti sisitimu iparare. Dambudziko ravepo kubva muna Chikunguru 2014 uye rinokanganisa kuburitswa kwekernel kutanga kubva 3.16. Kugadziriswa kwekusagadzikana kwakabatana nenharaunda uye kwakagamuchirwa mukernel musi wa19 Chikunguru. Iwo makuru ekugovera akatogadzira zvigadziriso kune avo kernel mapakeji (Debian, Ubuntu, Fedora, RHEL, SUSE, Arch).
Kusagadzikana kunokonzerwa nekutadza kutarisa mhedzisiro ye size_t to int kutendeuka usati waita mashandiro museq_file kodhi, iyo inogadzira mafaera kubva mukutevedzana kwemarekodhi. Kutadza kutarisa kunogona kuita kuti kunze-kwe-maganho kunyore kune buffer paunenge uchigadzira, uchikwira, uye uchidzima yakanyatso dhairekitori chimiro (nzira saizi yakakura kupfuura 1 GB). Nekuda kweizvozvo, munhu anorwisa anogona kuwana tambo ye10-byte "// yakadzimwa" yakanyorwa pane imwe offset ye "-2 GB - 10 bytes" inonongedza nzvimbo inotangira buffer yakapihwa.
Iko yakagadzirirwa kushandiswa kunoda 5 GB yekuyeuka uye 1 mamiriyoni emahara inode kushanda. Iko kushandiswa kunoshanda nekudaidza mkdir () kugadzira hierarchy inosvika miriyoni subdirectories kuti uwane saizi yefaira nzira inodarika 1 GB. Iri dhairekitori rinokwidzwa kuburikidza ne-bind-mount mune yakaparadzana mushandisi zitapace, mushure meiyo rmdir () basa rinoitwa kuti ribvise. Mukufanana, tambo inogadzirwa inotakura diki eBPF chirongwa, iyo yakavharwa padanho mushure mekutarisa iyo eBPF pseudocode, asi isati yatanga JIT kuunganidzwa.
Mune isina kurongeka userid namespace, faira /proc/self/mountinfo inovhurwa uye nzira refu yebhaidhi-yakaiswa dhairekitori inoverengwa, zvichiita kuti tambo "// yadzimwa" ichinyorwa kunzvimbo isati yatanga buffer. Nzvimbo yekunyora mutsara inosarudzwa kuitira kuti inyore murairo mune yakatoedzwa asi isati yagadzirwa eBPF chirongwa.
Tevere, padanho rechirongwa cheBPF, kunyora kusingadzoreki kwekunze-kwe-buffer kunoshandurwa kuve kugona kudzora kuverenga nekunyora kune mamwe kernel zvimiro kuburikidza nekunyengera kweiyo btf uye map_push_elem zvimiro. Nekuda kweizvozvo, kushandiswa kunotarisa nzvimbo ye modprobe_path[] buffer mu kernel memory uye inodarika iyo "/ sbin / modprobe" nzira mairi, iyo inokutendera iwe kuti utange kutangwa kwechero faira rinoitwa rine kodzero dzemidzi muchiitiko che request_module() kufona, iyo inoitwa, semuenzaniso, pakugadzira netlink socket.
Vatsvaguri vanopa akati wandei maworkaround anoshanda chete kune yakasarudzika, asi usabvisa dambudziko racho pacharo. Zvinokurudzirwa kuseta "/proc/sys/kernel/unprivileged_userns_clone" ku0 kudzima madhairekitori ekukwira mune yakaparadzana mushandisi ID namespace, uye "/proc/sys/kernel/unprivileged_bpf_disabled" ku1 kudzima kurodha zvirongwa zveBPF mukernel.
Izvo zvakakosha kuti tichiongorora kumwe kurwiswa kunosanganisira kushandiswa kweFUSE michina pachinzvimbo chekusunga-murwi kuti uise dhairekitori hombe, vaongorori vakawana imwe njodzi (CVE-2021-33910) inokanganisa systemd system maneja. Zvakazoitika kuti kana uchiedza kukwidza dhairekitori ine saizi yenzira inodarika 8 MB kuburikidza neFUSE, iyo control yekutanga maitiro (PID1) inobuda mundangariro dzendangariro uye kuputsika, izvo zvinoisa sisitimu mu "kutya" mamiriro.
Dambudziko nderekuti systemd inoteedzera uye kupatsanura zviri mukati / proc/self/mountinfo, uye inogadzirisa imwe neimwe nzvimbo yekukwira muunit_name_path_escape () basa, iro rinoita strdupa () mashandiro anoisa iyo data pane stack kwete mukuyeukwa kwakagoverwa. . Sezvo hukuru hwemastake huchigumira kuburikidza neRLIMIT_STACK, kugadzirisa nzira yakakurisa kuenda kunzvimbo yekukwira kunoita kuti chirongwa chePID1 chiparare nekumisa system. Kuti urwise, unogona kushandisa iyo yakapfava FUSE module musanganiswa nekushandisa yakanyanya dhairekitori senzvimbo yekukwira, saizi yenzira inodarika 8 MB.
Dambudziko rave kuoneka kubva systemd 220 (Kubvumbi 2015), yakatogadziriswa mune huru systemd repository uye yakagadziriswa mukugovera (Debian, Ubuntu, Fedora, RHEL, SUSE, Arch). Zvikuru, musystemd kuburitswa 248 iko kushandiswa hakushande nekuda kwebug mune systemd kodhi iyo inokonzeresa kugadzirisa kwe /proc/self/mountinfo kukundikana. Zvinonakidzawo kuti muna 2018, mamiriro akafanana akamuka uye pakuedza kunyora kushandiswa kweCVE-2018-14634 kusagadzikana muLinux kernel, vaongorori veQualys vakawana kusagadzikana kutatu kwakakosha musystemd.
Source: opennet.ru