Ukuba semngciphekweni (CVE-2021-4204) ichongiwe kwinkqubo ephantsi ye-eBPF, ekuvumela ukuba usebenzise abaphathi ngaphakathi kweLinux kernel kumatshini okhethekileyo onento yokwenza neJIT, evumela umsebenzisi ongenanto yakwenza namalungelo ukuba afezekise ilungelo lokunyuka kwaye enze ikhowudi yabo Inqanaba le-Linux kernel. Ingxaki ibonakala ukususela kwi-Linux kernel 5.8 kwaye ihlala ingalungiswanga (kubandakanywa nokukhululwa kwe-5.16). Ubume bohlaziyo olwenziwayo ukulungisa ingxaki kunikezelo lunokulandelwa kula maphepha: Debian, RHEL, SUSE, Fedora, Ubuntu, Arch. Kuye kwabhengezwa ukuba ukuxhatshazwa okusebenzayo kuye kwadalwa, okucetywayo ukuba kupapashwe ngoJanuwari 18 (abasebenzisi kunye nabaphuhlisi banikwe iveki ukulungisa ubuthathaka).
Ukuba sesichengeni kubangelwa kungqinisiso olungachanekanga lweeprogram ze-eBPF ezithunyelwa ukuba ziphunyezwe. I-subsystem ye-eBPF ibonelela ngemisebenzi encedisayo, ukusetyenziswa okuchanekileyo okungqinwa ngumqinisekisi okhethekileyo. Eminye imisebenzi ifuna ukugqithisa ixabiso le-PTR_TO_MEM njengempikiswano, kwaye ukunqanda ukuphuphuma kwebuffer enokwenzeka, umqinisekisi kufuneka azi ubungakanani benkumbulo ehambelana nempikiswano. Kumsebenzi we-bpf_ringbuf_submit kunye ne-bpf_ringbuf_discard, idatha kubungakanani bememori edlulisiweyo ayizange ixelwe kumqinisekisi, enokusetyenziswa ukubhala ngaphezulu iindawo zememori ngaphaya komda we-buffer xa kusenziwa ikhowudi ye-eBPF eyilwe ngokukodwa.
Ukwenza uhlaselo, umsebenzisi kufuneka akwazi ukulayisha eyakhe inkqubo ye-BPF, kwaye uninzi losasazo lweLinux lwamva nje luvalela esi sixhobo ngokungagqibekanga (kubandakanywa nokufikelela okungekho sikweni kwi-eBPF ngoku kuthintelwe ngokungagqibekanga kwi-kernel ngokwayo, ukuqala ngokukhululwa kwe-5.16). Umzekelo, ukuba sesichengeni kungasetyenziswa kuqwalaselo olungagqibekanga ku-Ubuntu 20.04 LTS, kodwa kwindawo Ubuntu 22.04-dev, Debian 11, openSUSE 15.3, RHEL 8.5, SUSE 15-SP4 kunye neFedora 33 ibonakala kuphela ukuba umlawuli usete. i kernel.unprivileged_bpf_disabled parameter ku 0. Njengomsebenzi wokuthintela ukuba sesichengeni, unokuthintela ukuphunyezwa kweenkqubo ze-BPF ngabasebenzisi abangenanto ngomyalelo βsysctl -w kernel.unprivileged_bpf_disabled=1β.
umthombo: opennet.ru