Ukuba sengozini (CVE-2021-29154) kukhonjwe ohlelweni olungaphansi lwe-eBPF, olukuvumela ukuthi usebenzise izibambi zokulandelela, ukuhlaziya ukusebenza kwezinhlelo ezingaphansi nokuphatha ithrafikhi, okwenziwa ngaphakathi kwe-Linux kernel emshinini okhethekile obonakalayo one-JIT, ovumela umsebenzisi wendawo ukuze afeze ukusetshenziswa kwekhodi yakhe ezingeni le-kernel. Inkinga ibonakala kuze kube sekukhishweni kwe-5.11.12 (ihlanganisiwe) futhi ayikalungiswa ekusatshalalisweni (i-Debian, Ubuntu, RHEL, Fedora, SUSE, Arch). Ukulungiswa kuyatholakala njengepheshi.
Ngokusho kwabacwaningi abahlonze ubungozi, bakwazile ukwenza isibonelo esisebenzayo sokuxhashazwa kwezinhlelo ze-32- kanye ne-64-bit x86, ezingasetshenziswa umsebenzisi ongenamalungelo. Nokho, i-Red Hat iphawula ukuthi ubunzima benkinga buncike ekutheni ikholi yesistimu ye-eBPF iyafinyeleleka yini kumsebenzisi. Isibonelo, ku-RHEL nokunye okusatshalaliswa okuningi kwe-Linux ekucushweni okuzenzakalelayo, ubungozi bungasetshenziswa uma i-BPF JIT inikwe amandla futhi umsebenzisi anamalungelo angu-CAP_SYS_ADMIN. Njengendlela yokusebenza, kunconywa ukukhubaza i-BPF JIT usebenzisa umyalo: echo 0 > /proc/sys/net/core/bpf_jit_enable
Inkinga ibangelwa iphutha ekubaleni i-offset yemiyalo yegatsha phakathi nenqubo yokukhiqiza ikhodi yomshini ye-JIT compiler. Ikakhulukazi, lapho kukhiqizwa imiyalelo yegatsha, akunaki ukuthi i-offset ingashintsha ngemva kokudlula esigabeni sokwenza kahle. Lesi sici singasetshenziselwa ukukhiqiza ikhodi yomshini engavamile futhi iyenze ezingeni le-kernel.
Kuyaphawuleka ukuthi lokhu akubona kuphela ubungozi kusistimu engaphansi ye-eBPF muva nje. Ekupheleni kukaMashi, kutholwe ubungozi obubili ku-kernel (CVE-2020-27170, CVE-2020-27171), okwenza kube nokwenzeka ukusebenzisa i-eBPF ukudlula ukuvikela ebuthakathakeni besigaba seSpecter, okuvumela ukunquma okuqukethwe kwenkumbulo ye-kernel. ngenxa yokudala izimo zokwenziwa kokuqagela kwemisebenzi ethile . Ukuhlasela kwe-Specter kudinga ukuba khona kokulandelana okuthile kwemiyalo kukhodi enelungelo eliholela ekwenziweni kokuqagela kwemiyalelo. Ku-eBPF, kutholwe izindlela ezimbalwa zokukhiqiza imiyalo enjalo ngokukhohlisa ngezinhlelo ze-BPF ezidluliselwe ukwenziwa.
Ukuba sengozini kwe-CVE-2020-27170 kubangelwa ukukhohliswa kwesikhombi kusiqinisekisi se-BPF esidala ukuthi imisebenzi eqagelayo ifinyelele endaweni engaphandle kwemingcele yebhafa. Ukuba sengozini kwe-CVE-2020-27171 kungenxa yephutha eliphelele lokugeleza okuncane lapho usebenza nezikhombi, okuholela ekufinyeleleni okucatshangelwayo kudatha ngaphandle kwebhafa. Lezi zinkinga sezilungisiwe kakade ekukhishweni kwe-kernel 5.11.8, 5.10.25, 5.4.107, 4.19.182 kanye no-4.14.227, futhi zifakiwe ekubuyekezweni kwe-kernel kokusatshalaliswa okuningi kwe-Linux. Abacwaningi balungiselele ukuxhashazwa kwe-prototype okuvumela umsebenzisi ongenalo ilungelo ukukhipha idatha kumemori ye-kernel.
Source: opennet.ru