Kuchongiwe ukuba semngciphekweni kwiLinux kernel (CVE-2021-33624) evumela inkqubo esezantsi ye-eBPF ukuba isetyenziswe ukugqitha ukhuseleko ngokuchasene nobuthathaka beklasi yeSpecter, eyenza kube lula ukumisela imixholo yememori njengesiphumo sokudala iimeko ufezekiso oluqikelelwayo lwemisebenzi ethile. Uhlaselo lweSpecter lufuna ubukho bolandelelwano oluthile lwemiyalelo kwikhowudi enelungelo elikhokelela ekuphunyezweni okuqikelelwayo kwemiyalelo. Ngokulawula iinkqubo ze-BPF ezigqithiselwe ukubulawa, kunokwenzeka ukuvelisa imiyalelo efanayo kwi-eBPF kwaye ivuze imixholo yememori ye-kernel kunye nemimandla engafanelekanga yememori yomzimba ngokusebenzisa amajelo asecaleni.
Ubuthathaka bubangelwa yiziphene kwi-verifier, esetyenziselwa ukufumanisa iimpazamo kunye nomsebenzi ongamkelekanga kwiiprogram ze-BPF. Umqinisekisi ubala iindlela ezinokwenzeka zokwenziwa kwekhowudi, kodwa utsiba iinketho zebranching ezingamkelekanga ukusuka kwindawo yembono yesemantics yomyalelo wolwakhiwo lweseti. Xa kuqhutywa inkqubo ye-BPF, iinketho ezinjalo ze-branching ezingathathelwa ngqalelo ngumqinisekisi zinokuqikelelwa ngokungachanekanga ngumqhubekekisi kwaye zenziwe ngendlela yokuqikelela. Ngokomzekelo, xa uhlalutya umsebenzi "womthwalo", umqinisekisi ulindele ukuba umyalelo usebenzisa irejista enedilesi enexabiso elihlala lingaphakathi kwimida echaziweyo, kodwa umhlaseli unokudala iimeko apho umqhubekekisi uya kuzama ukwenza umsebenzi ngokuqikelelwa. idilesi engahlangabezani nemiqathango yokuqinisekisa.
Ingxaki ibonakala ukususela ekukhutshweni kwe-kernel 4.15 kwaye ilungiswe ngendlela yeepatches (1, 2, 3, 4). Ukuba sesichengeni kuhlala kungalungiswanga kunikezelo (Debian, RHEL, Ubuntu, Fedora, SUSE, Arch).
Ukongeza, unokuqaphela inqaku malunga nefuthe lokusebenza kwezixhobo zokukhusela ngokuchasene nobuthathaka beSpecter. Inqaku lishwankathela iziphumo zolungiselelo lwe-rr (iRekhodi kunye neReplay) debugger, eyakha yadalwa kwiMozilla ukulungisa iimpazamo ezinzima ukuphinda-phinda kwiFirefox. Ukugcina iifowuni zesistim ezisetyenziselwa ukukhangela ubukho babalawuli kunciphise ukusebenza kwe-"rr sources" kwiprojekthi yovavanyo ukusuka kwimizuzu emi-3 ukuya kutsho kwimizuzwana engama-19.
Umbhali wokuphucula ugqibe kwelokuba ajonge ukuba ukusebenza kuya kutshintsha njani emva kokukhubaza ukhuseleko lweSpecter. Emva kokuqalisa inkqubo ngeparameter ethi "mitigations=off", ixesha lokwenziwa kwe "rr sources" ngaphandle kokulungiswa kwaba yimizuzu emi-2 imizuzwana emi-5 (amaxesha e-1.6 ngokukhawuleza), kwaye ngokulungiswa bekuyimizuzwana ye-33 (i-9% ngokukhawuleza). Okubangela umdla kukuba, ukukhubaza ukukhuselwa kweSpecter akunciphisi nje ixesha lokwenziwa kwekhowudi kwinqanaba le-kernel ngamaxesha e-1.4 (ukusuka kwi-2m9s ukuya kwi-1m32s), kodwa kunye nexesha lokwenziwa kwesiqingatha kwindawo yomsebenzisi (ukusuka kwi-1m9s ukuya kwi-0m33s), mhlawumbi ngenxa yokunciphisa ukusebenza kwe-CPU cache kunye ne-TLB. cwangcisa kwakhona xa ukhuseleko lweSpecter luvuliwe.
umthombo: opennet.ru