如何修補和保護 Linux 內核堆棧衝突漏洞 CVE-2017-1000364

Qualys 研究實驗室在 GNU C Library（CVE-2017-1000366）的動態鏈接器中發現了許多問題，它們通過與 Linux 內核內的堆棧衝突來允許本地特權升級。這個 bug 影響到了 i386 和 amd64 上的 Linux、OpenBSD、NetBSD、FreeBSD 和 Solaris。攻擊者可以利用它來破壞內存數據並執行任意代碼。

什麼是 CVE-2017-1000364 bug？

來自 RHN：

在用戶空間二進位文件的堆棧中分配內存的方式發現了一個缺陷。如果堆（或不同的內存區域）和堆棧內存區域彼此相鄰，則攻擊者可以使用此缺陷跳過堆棧保護區域，從而導致進程堆棧或相鄰內存區域的受控內存損壞，從而增加其系統許可權。有一個在內核中減輕這個漏洞的方法，將堆棧保護區域大小從一頁增加到 1 MiB，從而使成功利用這個功能變得困難。

據原研究文章：

計算機上運行的每個程序都使用一個稱為堆棧的特殊內存區域。這個內存區域是特別的，因為當程序需要更多的堆棧內存時，它會自動增長。但是，如果它增長太多，並且與另一個內存區域太接近，程序可能會將堆棧與其他內存區域混淆。攻擊者可以利用這種混亂來覆蓋其他內存區域的堆棧，或者反過來。

受到影響的 Linux 發行版

1. Red Hat Enterprise Linux Server 5.x
2. Red Hat Enterprise Linux Server 6.x
3. Red Hat Enterprise Linux Server 7.x
4. CentOS Linux Server 5.x
5. CentOS Linux Server 6.x
6. CentOS Linux Server 7.x
7. Oracle Enterprise Linux Server 5.x
8. Oracle Enterprise Linux Server 6.x
9. Oracle Enterprise Linux Server 7.x
10. Ubuntu 17.10
11. Ubuntu 17.04
12. Ubuntu 16.10
13. Ubuntu 16.04 LTS
14. Ubuntu 12.04 ESM (Precise Pangolin)
15. Debian 9 stretch
16. Debian 8 jessie
17. Debian 7 wheezy
18. Debian unstable
19. SUSE Linux Enterprise Desktop 12 SP2
20. SUSE Linux Enterprise High Availability 12 SP2
21. SUSE Linux Enterprise Live Patching 12
22. SUSE Linux Enterprise Module for Public Cloud 12
23. SUSE Linux Enterprise Build System Kit 12 SP2
24. SUSE Openstack Cloud Magnum Orchestration 7
25. SUSE Linux Enterprise Server 11 SP3-LTSS
26. SUSE Linux Enterprise Server 11 SP4
27. SUSE Linux Enterprise Server 12 SP1-LTSS
28. SUSE Linux Enterprise Server 12 SP2
29. SUSE Linux Enterprise Server for Raspberry Pi 12 SP2

我需要重啟我的電腦么？

是的，由於大多數服務依賴於 GNU C Library 的動態連接器，並且內核自身需要在內存中重新載入。

我該如何在 Linux 中修復 CVE-2017-1000364？

根據你的 Linux 發行版來輸入命令。你需要重啟電腦。在應用補丁之前，記下你當前內核的版本：

$ uname -a
$ uname -mrs

示例輸出：

Linux 4.4.0-78-generic x86_64

Debian 或者 Ubuntu Linux

輸入下面的 apt 命令 / apt-get 命令來應用更新：

$ sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade

示例輸出：

Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  libc-bin libc-dev-bin libc-l10n libc6 libc6-dev libc6-i386 linux-compiler-gcc-6-x86 linux-headers-4.9.0-3-amd64 linux-headers-4.9.0-3-common linux-image-4.9.0-3-amd64
  linux-kbuild-4.9 linux-libc-dev locales multiarch-support
14 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/62.0 MB of archives.
After this operation, 4,096 B of additional disk space will be used.
Do you want to continue? [Y/n] y
Reading changelogs... Done
Preconfiguring packages ...
(Reading database ... 115123 files and directories currently installed.)
Preparing to unpack .../libc6-i386_2.24-11+deb9u1_amd64.deb ...
Unpacking libc6-i386 (2.24-11+deb9u1) over (2.24-11) ...
Preparing to unpack .../libc6-dev_2.24-11+deb9u1_amd64.deb ...
Unpacking libc6-dev:amd64 (2.24-11+deb9u1) over (2.24-11) ...
Preparing to unpack .../libc-dev-bin_2.24-11+deb9u1_amd64.deb ...
Unpacking libc-dev-bin (2.24-11+deb9u1) over (2.24-11) ...
Preparing to unpack .../linux-libc-dev_4.9.30-2+deb9u1_amd64.deb ...
Unpacking linux-libc-dev:amd64 (4.9.30-2+deb9u1) over (4.9.30-2) ...
Preparing to unpack .../libc6_2.24-11+deb9u1_amd64.deb ...
Unpacking libc6:amd64 (2.24-11+deb9u1) over (2.24-11) ...
Setting up libc6:amd64 (2.24-11+deb9u1) ...
(Reading database ... 115123 files and directories currently installed.)
Preparing to unpack .../libc-bin_2.24-11+deb9u1_amd64.deb ...
Unpacking libc-bin (2.24-11+deb9u1) over (2.24-11) ...
Setting up libc-bin (2.24-11+deb9u1) ...
(Reading database ... 115123 files and directories currently installed.)
Preparing to unpack .../multiarch-support_2.24-11+deb9u1_amd64.deb ...
Unpacking multiarch-support (2.24-11+deb9u1) over (2.24-11) ...
Setting up multiarch-support (2.24-11+deb9u1) ...
(Reading database ... 115123 files and directories currently installed.)
Preparing to unpack .../0-libc-l10n_2.24-11+deb9u1_all.deb ...
Unpacking libc-l10n (2.24-11+deb9u1) over (2.24-11) ...
Preparing to unpack .../1-locales_2.24-11+deb9u1_all.deb ...
Unpacking locales (2.24-11+deb9u1) over (2.24-11) ...
Preparing to unpack .../2-linux-compiler-gcc-6-x86_4.9.30-2+deb9u1_amd64.deb ...
Unpacking linux-compiler-gcc-6-x86 (4.9.30-2+deb9u1) over (4.9.30-2) ...
Preparing to unpack .../3-linux-headers-4.9.0-3-amd64_4.9.30-2+deb9u1_amd64.deb ...
Unpacking linux-headers-4.9.0-3-amd64 (4.9.30-2+deb9u1) over (4.9.30-2) ...
Preparing to unpack .../4-linux-headers-4.9.0-3-common_4.9.30-2+deb9u1_all.deb ...
Unpacking linux-headers-4.9.0-3-common (4.9.30-2+deb9u1) over (4.9.30-2) ...
Preparing to unpack .../5-linux-kbuild-4.9_4.9.30-2+deb9u1_amd64.deb ...
Unpacking linux-kbuild-4.9 (4.9.30-2+deb9u1) over (4.9.30-2) ...
Preparing to unpack .../6-linux-image-4.9.0-3-amd64_4.9.30-2+deb9u1_amd64.deb ...
Unpacking linux-image-4.9.0-3-amd64 (4.9.30-2+deb9u1) over (4.9.30-2) ...
Setting up linux-libc-dev:amd64 (4.9.30-2+deb9u1) ...
Setting up linux-headers-4.9.0-3-common (4.9.30-2+deb9u1) ...
Setting up libc6-i386 (2.24-11+deb9u1) ...
Setting up linux-compiler-gcc-6-x86 (4.9.30-2+deb9u1) ...
Setting up linux-kbuild-4.9 (4.9.30-2+deb9u1) ...
Setting up libc-l10n (2.24-11+deb9u1) ...
Processing triggers for man-db (2.7.6.1-2) ...
Setting up libc-dev-bin (2.24-11+deb9u1) ...
Setting up linux-image-4.9.0-3-amd64 (4.9.30-2+deb9u1) ...
/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-4.9.0-3-amd64
cryptsetup: WARNING: failed to detect canonical device of /dev/md0
cryptsetup: WARNING: could not determine root device from /etc/fstab
W: initramfs-tools configuration sets RESUME=UUID=054b217a-306b-4c18-b0bf-0ed85af6c6e1
W: but no matching swap device is available.
I: The initramfs will attempt to resume from /dev/md1p1
I: (UUID=bf72f3d4-3be4-4f68-8aae-4edfe5431670)
I: Set the RESUME variable to override this.
/etc/kernel/postinst.d/zz-update-grub:
Searching for GRUB installation directory ... found: /boot/grub
Searching for default file ... found: /boot/grub/default
Testing for an existing GRUB menu.lst file ... found: /boot/grub/menu.lst
Searching for splash image ... none found, skipping ...
Found kernel: /boot/vmlinuz-4.9.0-3-amd64
Found kernel: /boot/vmlinuz-3.16.0-4-amd64
Updating /boot/grub/menu.lst ... done

Setting up libc6-dev:amd64 (2.24-11+deb9u1) ...
Setting up locales (2.24-11+deb9u1) ...
Generating locales (this might take a while)...
  en_IN.UTF-8... done
Generation complete.
Setting up linux-headers-4.9.0-3-amd64 (4.9.30-2+deb9u1) ...
Processing triggers for libc-bin (2.24-11+deb9u1) ...

使用 reboot 命令重啟桌面/伺服器：

$ sudo reboot

Oracle/RHEL/CentOS/Scientific Linux

輸入下面的 yum 命令：

$ sudo yum update
$ sudo reboot

Fedora Linux

輸入下面的 dnf 命令：

$ sudo dnf update
$ sudo reboot

Suse Enterprise Linux 或者 Opensuse Linux

輸入下面的 zypper 命令：

$ sudo zypper patch
$ sudo reboot

SUSE OpenStack Cloud 6

$ sudo zypper in -t patch SUSE-OpenStack-Cloud-6-2017-996=1
$ sudo reboot

SUSE Linux Enterprise Server for SAP 12-SP1

$ sudo zypper in -t patch SUSE-SLE-SAP-12-SP1-2017-996=1
$ sudo reboot

SUSE Linux Enterprise Server 12-SP1-LTSS

$ sudo zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-996=1
$ sudo reboot

SUSE Linux Enterprise Module for Public Cloud 12

$ sudo zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2017-996=1
$ sudo reboot

驗證

你需要確認你的版本號在 reboot 命令之後改變了。

$ uname -a
$ uname -r
$ uname -mrs

示例輸出：

Linux 4.4.0-81-generic x86_64

給 OpenBSD 用戶的注意事項

見此頁獲取更多信息。

給 Oracle Solaris 的注意事項

見此頁獲取更多信息。

參考

• 堆棧衝突

作者簡介:

Vivek Gite

作者是 nixCraft 的創始人，對於 Linux 操作系統/Unix shell腳本有經驗豐富的系統管理員和培訓師。他曾與全球客戶及各行各業，包括 IT、教育、國防和空間研究以及非營利部門合作。在 Twitter、Facebook、Google + 上關注他。

via: https://www.cyberciti.biz/faq/howto-patch-linux-kernel-stack-clash-vulnerability-cve-2017-1000364/

作者：Vivek Gite 譯者：geekpi 校對：wxy

本文由 LCTT 原創編譯，Linux中國 榮譽推出

本文轉載來自 Linux 中國: https://github.com/Linux-CN/archive