Ukuba sengozini (CVE-2021-4204) kukhonjwe kusistimu engaphansi ye-eBPF, ekuvumela ukuthi usebenzise izibambi ngaphakathi kwe-Linux kernel emshinini okhethekile we-virtual one-JIT, okuvumela umsebenzisi wasendaweni ongenalo ilungelo ukuthi azuze ukukhushulwa kwelungelo futhi akhiphe amakhodi abo Izinga le-Linux kernel. Inkinga ibilokhu ivela kusukela ku-Linux kernel 5.8 futhi ihlala ingalungisiwe (kuhlanganise nokukhululwa kwe-5.16). Isimo sezibuyekezo ezikhiqizwayo ukuze kulungiswe inkinga ekusatshalalisweni singalandelelwa kulawa makhasi: Debian, RHEL, SUSE, Fedora, Ubuntu, Arch. Kuye kwamenyezelwa ukuthi ukuxhashazwa okusebenzayo kudaliwe, okuhlelwe ukuthi kushicilelwe ngoJanuwari 18 (abasebenzisi nabathuthukisi banikezwe iviki ukulungisa ubungozi).
Ukuba sengozini kubangelwa ukuqinisekiswa okungalungile kwezinhlelo ze-eBPF ezidluliselwa ukuze zisetshenziswe. Isistimu engaphansi ye-eBPF ihlinzeka ngemisebenzi eyisizayo, ukusetshenziswa kwayo okulungile okuqinisekiswa isiqinisekisi esikhethekile. Eminye imisebenzi idinga ukudlula inani le-PTR_TO_MEM njengempikiswano, futhi ukuze kuvinjelwe ukuchichima kwebhafa okungaba khona, isiqinisekisi kufanele sazi usayizi wememori ohlotshaniswa ne-agumenti. Ngomsebenzi we-bpf_ringbuf_submit kanye ne-bpf_ringbuf_discard, idatha yosayizi wememori edlulisiwe ayizange ibikwe kusiqinisekisi, esingasetshenziswa ukubhala phezu kwezindawo zememori ezingaphezu komngcele webhafa lapho kusetshenziswa ikhodi ye-eBPF eklanywe ngokukhethekile.
Ukuze enze ukuhlasela, umsebenzisi kufanele akwazi ukulayisha uhlelo lwakhe lwe-BPF, futhi ukusatshalaliswa kweLinux okuningi kwakamuva kuvimbela leli khono ngokuzenzakalelayo (okuhlanganisa nokufinyelela okungenanjongo ku-eBPF manje sekwenqatshelwe ngokuzenzakalelayo ku-kernel ngokwayo, kusukela ngokukhululwa okungu-5.16). Isibonelo, ubungozi bungasetshenziswa ekucushweni okuzenzakalelayo ku-Ubuntu 20.04 LTS, kodwa ezindaweni Ubuntu 22.04-dev, Debian 11, openSUSE 15.3, RHEL 8.5, SUSE 15-SP4 kanye ne-Fedora 33 kubonakala kuphela uma umlawuli esethiwe. ipharamitha ye-kernel.unprivileged_bpf_disabled kuya ku-0. Njengendlela yokusebenza yokuvimbela ukuba sengozini, unganqanda ukwenziwa kwezinhlelo ze-BPF ngabasebenzisi abangenamalungelo ngomyalo othi βsysctl -w kernel.unprivileged_bpf_disabled=1β.
Source: opennet.ru