Umngcipheko omtsha wafunyanwa kwiNkqubo

Ubungozi bufunyenwe kwisistim esele ichazwe kuyo (I-CVE-2019-6454), Intoni ivumela ukuba inkqubo yolawulo yokuqalisa (PID1) ibhloke xa uthumela umyalezo owenziwe ngokukodwa kumsebenzisi ongenalungelo elilodwa kwi-D-Bus.

Los Abaphuhlisi beRed Hat nayo ayikhupheli ngaphandle ukubanakho kokusebenzisa ubungozi ekucwangciseni ukwenziwa kwekhowudi kunye namalungelo engcambu., kodwa ithuba lokugqibela lohlaselo alikagqitywa.

Malunga nenkqubo

Kulungiselelwe abo bangaziyo iSystemd Ndingakuxelela lonto Le yinkqubo yokuqalisa ye-linux kunye nomphathi wenkonzo kubandakanya izinto ezinje ngokufuna ukuqala kwedemon, ukuqala ngokuzenzekelayo kunye nokugcinwa kwendawo, inkxaso yenkxaso, kunye nenkqubo yokulandela umkhondo usebenzisa amaqela olawulo lweLinux.

Systemd ibonelela ngedemon yobhaliso kunye nezinye izixhobo kunye nezinto eziluncedo ekuncedeni kwimisebenzi yolawulo yenkqubo eqhelekileyo. U-Lennart Poettering kunye no-Kay Sievers babhale i-SystemD, bephefumlelwe yi-MacOS eyasungulwa kunye ne-Upstart, ngeenjongo zokudala inkqubo yala maxesha kunye neguqukayo.

Ngokukodwa, isistim ibonelela ngobuchule bokuthelekisa kunye nokuxhomekeka kokulawulwa kwenkonzo, ukuvumela iinkonzo ukuba ziqale ngokudibeneyo kwaye zikhokelele kumaxesha okuqalisa ngokukhawuleza. Ezi zinto zimbini zazikho kwi-Upstart, kodwa zaphuculwa yinkqubo.

Inkqubo yinkqubo emiselweyo yokuqalisa ngokusasazwa kweLinux, kodwa ibuyela umva iyahambelana neskripthi sokuqalisa seSysV.

I-SysVinit yinkqubo yokuqalisa eyandulela inkqubo kwaye isebenzisa indlela elula yokwenza inkonzo. Inkqubo ayilawuli kuphela ukuqaliswa kwenkqubo, kodwa ikwabonelela ngezinye iindlela zoncedo ezaziwayo ezinje ngecron kunye syslog.

Malunga nenkqubo entsha yokuba sesichengeni

Ngokusebenzisa ubungakanani bomyalezo othunyelwe nge-D-Bus, Umhlaseli unokuhambisa isikhombisi ngaphaya kwemida yenkumbulo eyabelwe isitaki, ngokudlula kukhuseleko lwe "stack-iphepha lokugcina", esekwe endaweni yekhasi lememori emaphethelweni abiza ukungafani (iphepha elingalunganga).

Uhlaselo oluyimpumelelo luboniswa ku-Ubuntu 18.10 nge-systemd 239 nakwi-CentOS 7.6 ene-systemd 219.

Njengokusebenza, ukudityaniswa kunokusetyenziswa kwi-GCC kunye nokukhetha "-fstack-clash-protection-protection", esetyenziswa ngokungagqibekanga kwi-Fedora 28 ne-29.

Kufuneka iqatshelwe ukuba kwi-2014 umbhali wethala leencwadi le-MUSL walatha phakathi kweengxaki eziphambili zenkqubo yokunyuka kwamaxabiso kwi-PID1 ephetheyo kwaye wabuza ukuba kungenzeka na ukumiliselwa kwe-PID1 kwinqanaba lomlawuli we-API yoQhagamshelo kwiBhasi, kuba sisixhobo esikhulu uhlaselo kwaye kunokuchaphazela kakubi ukuthembeka kwenkqubo yonke

Ngokomphandi wezokhuseleko ngubani ityhile ubungozi, utshintsho lwesikhombisi sinokwenzeka kuphela kumaphepha ememori angasetyenziswanga (engabelwe), engavumeli ukucwangciswa kokuphunyezwa kwekhowudi kwimeko yenkqubo ye-PID1, kodwa ivumela umhlaseli ukuba aqalise isitshixo se-PID1 ngotshintsho olulandelayo lwe-kernel ye-Linux ukuya kwimeko yokuphakuzela (kwimeko yomlawuli we-PID 1 ukusilela, yonke inkqubo ixhonyiwe).

Kwi-systemd, isiphatho somqondiso sifakelwe esizama ukubamba iimpazamo zenkqubo ye-PID1 (isahlulo secala) kwaye siqale iqokobhe ukuze silulame.

Kodwa kuba iphepha leememori elingafakwanga (elingabelweyo) libizwa ngexesha lohlaselo, i-kernel ayinakho ukubiza lo mlawuli ophetheyo kwaye iphelise inkqubo nge-PID 1, ethi yona yenzeke ayinakwenzeka ukuba iqhubeke nokusebenza kwaye ingene kwimeko yoloyiko, ke Inkqubo yokuqalisa kwakhona iyafuneka.

Sele isisombululo sengxaki

Njengayo nayiphi na ingxaki yezokhuseleko esele ichaziwe nengxelo, ukupapashwa kwayo akunakwenziwa kude kube kusonjululwe ingxaki kwaye Uhlaziyo lwepatch yokuchaphazeleka kwe-SUSE / openSUSE, iFedora sele ikhutshiwe, ikwenzelwe Ubuntu kunye nenxalenye yeDebian (Yolula iDebian kuphela).
Nangona ingxaki ihlala ingachanekanga kwi-RHEL.