Enhliziyweni Linux Kutholakale ubuthakathaka (CVE-2023-0386) ekusetshenzisweni kohlelo lwefayela le-OverlayFS, olungasetshenziswa ukuthola ukufinyelela kwezimpande ezinhlelweni ezinesistimu encane ye-FUSE efakiwe futhi luvumele ukufakwa kwezingxenye ze-OverlayFS ngumsebenzisi ongenamalungelo (kusukela nge-kernel) Linux 5.11 kanye nokufakwa kwezikhala zamagama zomsebenzisi ezingenamalungelo). Inkinga ilungisiwe egatsheni le-kernel elingu-6.2. Ukushicilelwa kwezibuyekezo zephakheji ekusakazweni kungalandelelwa emakhasini alandelayo: Debian, Ubuntu, Gentoo, RHEL, SUSE, Fedora, Arch.
Ukuhlasela kwenziwa ngokukopisha amafayela anamafulegi e-setgid/setuid kusuka ku-partition efakwe kwimodi ye-nosuid kuya ku-partition ye-OverlayFS enesendlalelo esixhunywe ku-partition evumela ukwenziwa kwefayela le-suid. Ubuthakathaka bufana ne-CVE-2021-3847, etholakale ngo-2021, kodwa inezidingo zokusebenzisa eziphansi. Inkinga endala yayidinga ukuphathwa kwe-xattrs, okukhawulelwe lapho kusetshenziswa izikhala zamagama zomsebenzisi, kuyilapho inkinga entsha isebenzisa ama-bits e-setgid/setuid, angaphathwanga ngokuqondile ezindaweni zamagama zomsebenzisi.
I-algorithm yokwenza ukuhlaselwa:
- Uhlelo olungaphansi lwe-FUSE lusetshenziselwa ukufaka uhlelo lwefayela oluqukethe ifayela elisebenzisekayo eliphethwe yimpande elinamafulegi e-setuid/setgid angabhalwa yibo bonke abasebenzisi. Uma lufakwa, i-FUSE isetha imodi ethi "nosuid".
- Izikhala zamagama zomsebenzisi kanye nezindawo zokufaka azabelwana ngazo.
- Faka i-OverlayFS usebenzisa uhlelo lwefayela lwe-FUSE oludalwe ngaphambilini njengesendlalelo esingezansi kanye nohlu lwemibhalo olubhalwe phansi njengesendlalelo esiphezulu. Uhlu lwemibhalo lwesendlalelo esiphezulu kumele luhlale ohlelweni lwefayela olungasebenzisi ifulegi elithi "nosuid" uma lufakiwe.
- I-utility ye-touch ishintsha isikhathi sokuguqulwa kwefayela le-suid ku-partition ye-FUSE, okubangela ukuthi likopishwe kusendlalelo se-OverlayFS esingaphezulu.
- Uma ukopisha, i-kernel ayisusi amafulegi e-setgid/setuid, okuholela ekutheni ifayela livele ku-partition evumela ukuphathwa kwe-setgid/setuid.
- Ukuze uthole amalungelo ezimpande, mane usebenzise ifayela elinamafulegi e-setgid/setuid kusuka kufolda enamathiselwe kungqimba ephezulu ye-OverlayFS.
Ngaphezu kwalokho, abacwaningi bethimba le-Google Project Zero baveze ulwazi mayelana nobuthakathaka obuthathu obulungisiwe egatsheni eliyinhloko le-kernel. Linux 5.15, kodwa azizange zithunyelwe emuva kumaphakheji e-kernel avela ku-RHEL 8.x/9.x kanye CentOS Ukusakaza 9.
- I-CVE-2023-1252 – Ukufinyelela indawo yememori ekhululiwe ngaphambilini esakhiweni se-ovl_aio_req ngesikhathi sokusebenza okuningi ngasikhathi sinye ku-OverlayFS efakwe phezu kwe-Ext4. Lokhu kusengozini kungavumela ukwanda kwamalungelo.
- I-CVE-2023-0590 — Ukufinyelela esifundeni sememori esasikhululwe ngaphambilini kumsebenzi we-qdisc_graft(). Ukusetshenziswa kabi kulindeleke ukuthi kukhawulelwe ekuphahlazekeni.
- I-CVE-2023-1249 – Ukubhekisela esifundeni sememori esasikhululwe ngaphambilini kukhodi yokubhala ye-coredump kwenzeka ngenxa yocingo lwe-mmap_lock olungabanjwanga ku-file_files_note. Ukuhlukunyezwa kulindeleke ukuthi kukhawulelwe ekuphahlazekeni.
Source: opennet.ru
