Abacwaningi bezokuphepha abavela ku-Qualys baveze imininingwane yobungozi obubili obuthinta i-Linux kernel kanye nomphathi wesistimu ye-systemd. Ukuba sengozini ku-kernel (CVE-2021-33909) kuvumela umsebenzisi wasendaweni ukuthi afinyelele ukusetshenziswa kwekhodi ngamalungelo ezimpande ngokukhohlisa izinkomba ezifakwe kakhulu.
Ingozi yokuba sengozini ibhebhezelwa ukuthi abacwaningi bakwazile ukulungiselela imisebenzi esebenzayo esebenza ku-Ubuntu 20.04/20.10/21.04, Debian 11 kanye ne-Fedora 34 ekucushweni okuzenzakalelayo. Kuyaphawulwa ukuthi okunye ukusatshalaliswa akuzange kuhlolwe, kodwa ngokombono kusengozini futhi kungahlaselwa. Ikhodi egcwele yokuxhashazwa ithenjiswe ukuthi izoshicilelwa ngemuva kokuthi inkinga isiqediwe yonke indawo, kodwa okwamanje kuphela i-prototype yokusebenza okulinganiselwe etholakalayo, okwenza uhlelo luphahlazeke. Inkinga ibilokhu ikhona kusukela ngoJulayi 2014 futhi ithinta ukukhishwa kwe-kernel kusuka ku-3.16. Ukulungiswa kokuba sengozini kwahlanganiswa nomphakathi futhi kwamukelwa ku-kernel ngomhla ka-19 Julayi. Ukusabalalisa okuyinhloko sekuvele kukhiqize izibuyekezo kumaphakheji we-kernel (Debian, Ubuntu, Fedora, RHEL, SUSE, Arch).
Ukuba sengozini kubangelwa ukuhluleka ukuhlola umphumela wokuguqulwa kosayizi_t kuya ku-int ngaphambi kokwenza imisebenzi kukhodi ye-seq_file, edala amafayela asuka ekulandeleni kwamarekhodi. Ukwehluleka ukuhlola kungase kuphumele ekubhaleni okungaphandle kwemingcele ku-buffer uma udala, ukhwezwa, futhi ususa ukwakheka kohla lwemibhalo esidleke kakhulu (usayizi wendlela omkhulu kuno-1 GB). Njengomphumela, umhlaseli angakwazi ukuzuza iyunithi yezinhlamvu engu-10-byte "//isusiwe" ebhalwe ngokusuka ku-"-2 GB - 10 bytes" ekhomba indawo ngokushesha eyandulela ibhafa eyabelwe.
Ukuxhashazwa okulungisiwe kudinga inkumbulo engu-5 GB kanye nama-inode amahhala ayisigidi ukuze kusebenze. I-exploit isebenza ngokubiza u-mkdir() ukuze udale isigaba semibhalo engaphansi esingaba yisigidi ukuze kuzuzwe usayizi wendlela yefayela owedlula u-1 GB. Lolu hlu lwemibhalo lukhwezwa nge-bind-mount endaweni ehlukile yegama lomsebenzisi, ngemva kwalokho umsebenzi we-rmdir() uqaliswa ukuze uyisuse. Ngokuhambisanayo, kwakhiwa uchungechunge olulayisha uhlelo oluncane lwe-eBPF, oluvinjwe esiteji ngemva kokuhlola i-pseudocode ye-eBPF, kodwa ngaphambi kokuhlanganiswa kwayo kwe-JIT.
Esikhaleni samagama somsebenzisi ongenalungelo, ifayela /proc/self/mountinfo liyavulwa futhi igama lendlela elide lenkomba ye-bind-mounted liyafundwa, okuholela ekubhalweni kweyunithi yezinhlamvu "//kusulwe" endaweni ngaphambi kokuqala kwebhafa. Indawo yokubhala ulayini ikhethwa ukuze ibhale phezu komyalelo ohlelweni oseluhloliwe kodwa olungakahlanganiswa lwe-eBPF.
Okulandelayo, ezingeni lohlelo lwe-eBPF, ukubhala okungalawuleki ngaphandle kwe-buffer kuguqulwa kube ikhono elilawulwayo lokufunda nokubhalela kwezinye izakhiwo ze-kernel ngokukhohlisa kwe-btf kanye nezakhiwo ze-map_push_elem. Njengomphumela, ukuxhashazwa kunquma indawo ye-modprobe_path[] buffer kumemori ye-kernel futhi kusula indlela ethi β/sbin/modprobeβ kuyo, okukuvumela ukuthi uqalise ukwethulwa kwanoma yiliphi ifayela elisebenzisekayo elinamalungelo ezimpande uma kwenzeka request_module() call, eyenziwa, isibonelo, lapho udala isokhethi ye-netlink.
Abacwaningi bahlinzeka ngama-workaround amaningana asebenzayo kuphela ekuxhashazweni okuthile, kodwa angayisusi inkinga ngokwayo. Kunconywa ukusetha okuthi "/proc/sys/kernel/unprivileged_userns_clone" ku-0 ukuze ukhubaze izinkhombandlela ezikhuphukayo endaweni ye-ID yomsebenzisi ehlukile, kanye "/proc/sys/kernel/unprivileged_bpf_disabled" ku-1 ukuze ukhubaze ukulayisha izinhlelo ze-eBPF ku-kernel.
Kuyaphawuleka ukuthi ngenkathi kuhlaziywa okunye ukuhlasela okubandakanya ukusetshenziswa kwendlela ye-FUSE esikhundleni se-bind-mound ukufaka umkhombandlela omkhulu, abacwaningi bahlangabezane nobunye ubungozi (CVE-2021-33910) obuthinta umphathi wesistimu ye-systemd. Kuvele ukuthi lapho uzama ukukhweza uhla lwemibhalo ngosayizi wendlela odlula i-8 MB nge-FUSE, inqubo yokuqalisa isilawuli (PID1) iphelelwa inkumbulo yesitaki nokuphahlazeka, okubeka uhlelo esimweni βsokwethukaβ.
Inkinga ukuthi i-systemd ilandelela futhi ihlukanise okuqukethwe kwe-/proc/self/mountinfo, futhi icubungule indawo ngayinye yokukhuphuka emsebenzini we-unit_name_path_escape(), owenza umsebenzi we-strdupa() obeka idatha kusitaki esikhundleni senkumbulo eyabiwe ngokuguquguqukayo. . Njengoba usayizi wesitaki omkhulu ukhawulelwe nge-RLIMIT_STACK, ukucubungula indlela enkulu kakhulu eya endaweni yokukhweza kubangela ukuthi inqubo ye-PID1 iphahlazeke futhi imise isistimu. Ukuze uhlasele, ungasebenzisa imojula ye-FUSE elula kakhulu ngokuhlanganisa nokusebenzisa uhla lwemibhalo olunesidleke njengendawo yokukhweza, usayizi wendlela odlula u-8 MB.
Inkinga ibilokhu ivela kusukela i-systemd 220 (April 2015), isivele ilungisiwe endaweni yokugcina ye-systemd futhi ilungiswe ekusatshalalisweni (Debian, Ubuntu, Fedora, RHEL, SUSE, Arch). Ngokuphawulekayo, ekukhishweni kwe-systemd 248 ukuxhaphaza akusebenzi ngenxa yesiphazamisi sekhodi ye-systemd ebangela ukucutshungulwa kwe-/proc/self/mountinfo. Kuyathakazelisa futhi ukuthi ngonyaka ka-2018, kwavela isimo esifanayo nalapho sizama ukubhala ukuxhashazwa kokuba sengozini kwe-CVE-2018-14634 ku-Linux kernel, abacwaningi be-Qualys bathola ubungozi obuthathu ku-systemd.
Source: opennet.ru