{"id":4753,"date":"2026-05-13T00:03:19","date_gmt":"2026-05-12T15:03:19","guid":{"rendered":"https:\/\/blog.id774.net\/entry\/?p=4753"},"modified":"2026-05-12T01:20:58","modified_gmt":"2026-05-11T16:20:58","slug":"dirty-frag-%e3%81%8c%e5%bc%b7%e5%8c%96%e3%81%97%e3%81%9f%e4%b8%8d%e5%a4%89%e5%8e%9f%e7%90%86","status":"publish","type":"post","link":"https:\/\/blog.id774.net\/entry\/2026\/05\/13\/4753\/","title":{"rendered":"Dirty Frag \u304c\u5f37\u5316\u3057\u305f\u4e0d\u5909\u539f\u7406"},"content":{"rendered":"

Copy Fail \u306b\u3064\u3044\u3066\u306f\u65e2\u7a3f\u3067\u3001Linux \u30ab\u30fc\u30cd\u30eb\u306e\u6697\u53f7 API\u3001AF_ALG\u3001algif_aead\u3001AEAD\u3001splice\u3001page cache\u3001scatterlist\u3001setuid root \u30d0\u30a4\u30ca\u30ea\u304c\u7d50\u5408\u3057\u3001\u672c\u6765\u8aad\u307f\u53d6\u308a\u5c02\u7528\u3067\u3042\u308b\u306f\u305a\u306e page cache \u304c\u5b9f\u884c\u6642\u306b\u6c5a\u67d3\u3055\u308c\u308b\u69cb\u9020\u3068\u3057\u3066\u6574\u7406\u3057\u305f[1]<\/a>\u3002\u305d\u306e\u8a18\u4e8b\u306f\u3001CVE-2026-31431 \u306e\u500b\u5225\u89e3\u8aac\u3067\u3042\u308b\u3068\u540c\u6642\u306b\u3001\u30d5\u30a1\u30a4\u30eb\u30b7\u30b9\u30c6\u30e0\u4e0a\u306e\u6a29\u9650\u3001\u30ab\u30fc\u30cd\u30eb\u5185\u90e8\u306e page \u53c2\u7167\u3001\u5b9f\u884c\u6642\u306b\u8aad\u307e\u308c\u308b\u610f\u5473\u304c\u5fc5\u305a\u3057\u3082\u540c\u3058\u3067\u306f\u306a\u3044\u3053\u3068\u3092\u793a\u3059\u8a18\u4e8b\u3067\u3082\u3042\u3063\u305f\u3002\u3064\u307e\u308a\u3001Copy Fail \u306e\u4e2d\u5fc3\u306f\u3001\u5358\u306b algif_aead \u304c\u5371\u967a\u3067\u3042\u308b\u3068\u3044\u3046\u8a71\u3067\u306f\u306a\u304f\u3001\u8aad\u307f\u53d6\u308a\u5c02\u7528\u7531\u6765\u306e file-backed page \u304c\u3001\u5225\u30b5\u30d6\u30b7\u30b9\u30c6\u30e0\u3078 copy \u3055\u308c\u305a\u306b\u6e21\u3055\u308c\u3001\u5f8c\u6bb5\u3067 writable destination \u3068\u3057\u3066\u6271\u308f\u308c\u5f97\u308b\u3068\u3044\u3046\u69cb\u9020\u306b\u3042\u3063\u305f\u3002<\/p>\n

Dirty Frag \u306f\u3001\u3053\u306e\u524d\u7a3f\u3092\u5426\u5b9a\u3059\u308b\u4e8b\u4f8b\u3067\u306f\u306a\u3044\u3002\u3080\u3057\u308d\u3001Copy Fail \u3067\u898b\u3048\u305f\u6559\u8a13\u3092\u3001\u500b\u5225\u30e2\u30b8\u30e5\u30fc\u30eb\u306e\u8a71\u304b\u3089\u30ab\u30fc\u30cd\u30eb\u8a2d\u8a08\u4e0a\u306e\u4e0d\u5909\u539f\u7406\u3078\u5f15\u304d\u4e0a\u3052\u308b\u4e8b\u4f8b\u3067\u3042\u308b\u3002V4bel \u306e\u516c\u958b\u30ea\u30dd\u30b8\u30c8\u30ea\u3068 write-up \u306f\u3001Dirty Frag \u3092 xfrm-ESP Page-Cache Write \u3068 RxRPC Page-Cache Write \u306e\u9023\u9396\u3068\u3057\u3066\u8aac\u660e\u3057\u3066\u3044\u308b[2]<\/a>[3]<\/a>\u3002Microsoft \u3082\u3001Dirty Frag \u3092 Linux \u30ab\u30fc\u30cd\u30eb\u306e networking and memory-fragment handling behavior \u3092\u60aa\u7528\u3059\u308b post-compromise risk \u306e\u62e1\u5927\u3068\u3057\u3066\u4f4d\u7f6e\u3065\u3051\u3066\u3044\u308b[4]<\/a>\u3002\u3053\u306e\u7bc4\u56f2\u3060\u3051\u3092\u898b\u308c\u3070\u3001Dirty Frag \u306f Copy Fail \u3068\u306f\u5225\u306e CVE \u7fa4\u3067\u3042\u308a\u3001\u5165\u53e3\u3082\u3001\u51e6\u7406\u9818\u57df\u3082\u3001\u66ab\u5b9a mitigation \u3082\u7570\u306a\u308b\u3002<\/p>\n

\u3057\u304b\u3057\u3001\u5165\u53e3\u304c\u9055\u3046\u3053\u3068\u306f\u3001\u6559\u8a13\u304c\u5225\u7269\u3067\u3042\u308b\u3053\u3068\u3092\u610f\u5473\u3057\u306a\u3044\u3002Copy Fail \u3067\u306f AF_ALG\u3001algif_aead\u3001scatterlist \u304c\u554f\u984c\u306e\u5165\u53e3\u306b\u306a\u3063\u305f\u3002Dirty Frag \u3067\u306f xfrm-ESP\u3001RxRPC\u3001skb frag\u3001shared frag \u304c\u554f\u984c\u306e\u5165\u53e3\u306b\u306a\u308b\u3002\u500b\u5225\u540d\u306f\u9055\u3046\u3002\u3060\u304c\u3001\u8aad\u307f\u53d6\u308a\u5c02\u7528\u7531\u6765\u306e page cache \u304c\u3001copy \u3055\u308c\u305a\u306b\u5225\u306e\u51e6\u7406\u7d4c\u8def\u3078\u6e21\u3055\u308c\u3001\u5f8c\u6bb5\u3067 in-place \u306b\u66f8\u304d\u63db\u3048\u3089\u308c\u308b\u53ef\u80fd\u6027\u304c\u3042\u308b\u3068\u3044\u3046\u62bd\u8c61\u69cb\u9020\u306f\u5171\u901a\u3057\u3066\u3044\u308b\u3002\u3057\u305f\u304c\u3063\u3066\u3001Dirty Frag \u3092\u8aad\u3080\u3068\u304d\u306b\u5fc5\u8981\u306a\u306e\u306f\u3001\u3069\u306e\u30e2\u30b8\u30e5\u30fc\u30eb\u304c\u5371\u967a\u304b\u3092\u6697\u8a18\u3059\u308b\u3053\u3068\u3067\u306f\u306a\u304f\u3001\u3069\u306e\u51e6\u7406\u5883\u754c\u3067 page \u306e\u7531\u6765\u3001\u5171\u6709\u6027\u3001\u66f8\u304d\u8fbc\u307f\u53ef\u5426\u3001\u5165\u529b\u3068\u51fa\u529b\u306e\u533a\u5225\u304c\u5931\u308f\u308c\u308b\u304b\u3092\u898b\u308b\u3053\u3068\u3067\u3042\u308b\u3002<\/p>\n\n\n\n\n\n\n\n\n\n
\u89b3\u70b9<\/th>\nCopy Fail<\/th>\nDirty Frag<\/th>\n\u5c0e\u5165\u3067\u78ba\u8a8d\u3059\u3079\u304d\u3053\u3068<\/th>\n<\/tr>\n<\/thead>\n
\u5165\u53e3<\/td>\nAF_ALG\u3001algif_aead\u3001AEAD\u3001scatterlist \u304c\u4e2d\u5fc3\u306b\u306a\u308b\u3002<\/td>\nxfrm-ESP\u3001RxRPC\u3001skb frag\u3001shared frag \u304c\u4e2d\u5fc3\u306b\u306a\u308b\u3002<\/td>\n\u5165\u53e3\u306f\u9055\u3046\u305f\u3081\u3001\u500b\u5225 mitigation \u306f\u5909\u308f\u308b\u3002<\/td>\n<\/tr>\n
\u51e6\u7406\u9818\u57df<\/td>\n\u30ab\u30fc\u30cd\u30eb\u6697\u53f7 API \u3068 in-place crypto \u306e\u9818\u57df\u3067\u554f\u984c\u5316\u3059\u308b\u3002<\/td>\nnetworking\u3001ESP\u3001RxRPC\u3001fragment handling \u306e\u9818\u57df\u3067\u554f\u984c\u5316\u3059\u308b\u3002<\/td>\n\u51e6\u7406\u9818\u57df\u304c\u9055\u3063\u3066\u3082\u3001page \u306e\u610f\u5473\u4fdd\u5b58\u3068\u3044\u3046\u554f\u984c\u306f\u5171\u901a\u3059\u308b\u3002<\/td>\n<\/tr>\n
\u6c5a\u67d3\u5bfe\u8c61<\/td>\n\u8aad\u307f\u53d6\u308a\u5c02\u7528\u7531\u6765\u306e page cache \u304c writable destination \u3068\u3057\u3066\u6271\u308f\u308c\u5f97\u308b\u3002<\/td>\nshared skb frag \u306a\u3069\u3092\u901a\u3058\u3066\u3001\u8aad\u307f\u53d6\u308a\u5c02\u7528\u7531\u6765\u306e page cache \u304c in-place \u51e6\u7406\u3055\u308c\u5f97\u308b\u3002<\/td>\n\u30c7\u30a3\u30b9\u30af\u4e0a\u306e\u6539\u3056\u3093\u3067\u306f\u306a\u304f\u3001\u5b9f\u884c\u6642\u306b\u8aad\u307e\u308c\u308b page cache \u306e\u6c5a\u67d3\u304c\u554f\u984c\u3067\u3042\u308b\u3002<\/td>\n<\/tr>\n
\u66ab\u5b9a\u5bfe\u7b56<\/td>\nalgif_aead \u306e\u7121\u52b9\u5316\u304c\u7126\u70b9\u306b\u306a\u3063\u305f\u3002<\/td>\nesp4\u3001esp6\u3001rxrpc \u306e\u7121\u52b9\u5316\u304c\u7126\u70b9\u306b\u306a\u308b\u3002<\/td>\n\u66ab\u5b9a\u5bfe\u7b56\u306f\u5165\u53e3\u4f9d\u5b58\u3067\u3042\u308a\u3001\u4e0d\u5909\u539f\u7406\u305d\u306e\u3082\u306e\u3067\u306f\u306a\u3044\u3002<\/td>\n<\/tr>\n
\u4e0d\u5909\u539f\u7406<\/td>\n\u4e0a\u4f4d\u30ec\u30a4\u30e4\u30fc\u306e read-only\u3001shared\u3001input \u3068\u3044\u3046\u610f\u5473\u304c\u4e0b\u4f4d\u30ec\u30a4\u30e4\u30fc\u3067\u5931\u308f\u308c\u308b\u3002<\/td>\n\u540c\u3058\u610f\u5473\u55aa\u5931\u304c\u3001\u5225\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u7cfb\u5165\u53e3\u3067\u6210\u7acb\u3059\u308b\u3002<\/td>\nDirty Frag \u306f Copy Fail \u306e\u6559\u8a13\u3092\u5426\u5b9a\u305b\u305a\u3001\u62bd\u8c61\u5ea6\u3092\u4e0a\u3052\u3066\u5f37\u5316\u3059\u308b\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u3057\u305f\u304c\u3063\u3066\u3001\u672c\u7a3f\u306e\u554f\u3044\u306f\u3001Dirty Frag \u306b\u3088\u3063\u3066 Copy Fail \u306e\u6559\u8a13\u304c\u66f8\u304d\u63db\u308f\u308b\u306e\u304b\u3001\u305d\u308c\u3068\u3082\u4e0d\u5909\u539f\u7406\u3068\u3057\u3066\u5f37\u5316\u3055\u308c\u308b\u306e\u304b\u3067\u3042\u308b\u3002\u7d50\u8ad6\u306f\u660e\u78ba\u3067\u3042\u308b\u3002Dirty Frag \u306f\u3001Copy Fail \u306e\u6559\u8a13\u3092\u66f8\u304d\u63db\u3048\u305f\u306e\u3067\u306f\u306a\u3044\u3002\u66f8\u304d\u63db\u308f\u308b\u306e\u306f\u3001\u66ab\u5b9a\u5bfe\u7b56\u3068\u3057\u3066\u898b\u308b\u3079\u304d\u30e2\u30b8\u30e5\u30fc\u30eb\u540d\u3067\u3042\u308b\u3002Copy Fail \u3067\u306f algif_aead \u304c\u7126\u70b9\u3060\u3063\u305f\u304c\u3001Dirty Frag \u3067\u306f esp4\u3001esp6\u3001rxrpc \u304c\u7126\u70b9\u306b\u306a\u308b\u3002\u4e00\u65b9\u3067\u3001\u5909\u308f\u3089\u306a\u3044\u306e\u306f\u3001\u4e0a\u4f4d\u30ec\u30a4\u30e4\u30fc\u3067\u6210\u7acb\u3057\u3066\u3044\u305f\u5b89\u5168\u4e0a\u306e\u610f\u5473\u304c\u3001\u4e0b\u4f4d\u30ec\u30a4\u30e4\u30fc\u306e\u6700\u9069\u5316\u3001\u5171\u6709\u3001\u65ad\u7247\u5316\u3001in-place \u51e6\u7406\u3092\u901a\u904e\u3057\u3066\u3082\u4fdd\u5b58\u3055\u308c\u306a\u3051\u308c\u3070\u306a\u3089\u306a\u3044\u3001\u3068\u3044\u3046\u4e0d\u5909\u539f\u7406\u3067\u3042\u308b\u3002<\/p>\n

\u672c\u7a3f\u3067\u306f\u3001Dirty Frag \u3092\u5358\u306a\u308b\u65b0\u3057\u3044 Linux kernel LPE \u3068\u3057\u3066\u3067\u306f\u306a\u304f\u3001Copy Fail \u306e\u5f8c\u306b\u73fe\u308c\u305f\u69cb\u9020\u7684\u306a\u691c\u8a3c\u4e8b\u4f8b\u3068\u3057\u3066\u8aad\u3080\u3002\u5177\u4f53\u7684\u306b\u306f\u3001Debian \/ Ubuntu \u306a\u3069\u306e\u5bfe\u5fdc\u72b6\u6cc1\u3001LPE \u3068\u3057\u3066\u306e\u8105\u5a01\u8a55\u4fa1\u3001page cache \u6c5a\u67d3\u3068\u30c7\u30a3\u30b9\u30af\u6539\u3056\u3093\u306e\u9055\u3044\u3001Copy Fail \u3068\u306e\u5171\u901a\u70b9\u3068\u76f8\u9055\u70b9\u3001\u6a2a\u5c55\u958b\u3067\u5fc3\u914d\u3059\u3079\u304d\u9818\u57df\u3001\u5bfe\u8c61\u5916\u306e\u5207\u308a\u5206\u3051\u3001page cache write \u4ee5\u5916\u306e LPE \u7cfb\u7d71\u3001\u610f\u5473\u4fdd\u5b58\u30e2\u30c7\u30eb\u3001\u8106\u5f31\u6027\u6d2a\u6c34\u3068 AI \u6642\u4ee3\u306e\u89b3\u6e2c\u53ef\u80fd\u6027\u3001\u305d\u3057\u3066\u6700\u7d42\u7684\u306a\u904b\u7528\u539f\u5247\u307e\u3067\u3092\u6574\u7406\u3059\u308b\u3002\u7d50\u8ad6\u3068\u3057\u3066\u793a\u3059\u306e\u306f\u3001Dirty Frag \u304c\u65b0\u3057\u3044\u4f8b\u5916\u3092\u4f5c\u3063\u305f\u3068\u3044\u3046\u8a71\u3067\u306f\u306a\u3044\u3002Dirty Frag \u306f\u3001\u4e0a\u4f4d\u30ec\u30a4\u30e4\u30fc\u306e\u5236\u7d04\u304c\u4e0b\u4f4d\u30ec\u30a4\u30e4\u30fc\u306e\u6700\u9069\u5316\u3067\u6d88\u3048\u308b\u5834\u6240\u3053\u305d\u5371\u967a\u3067\u3042\u308b\u3001\u3068\u3044\u3046 Copy Fail \u7531\u6765\u306e\u6559\u8a13\u3092\u3001\u3088\u308a\u5f37\u3044\u4e0d\u5909\u539f\u7406\u3068\u3057\u3066\u78ba\u8a8d\u3057\u305f\u4e8b\u4f8b\u3067\u3042\u308b\u3002<\/p>\n

\n

1. Dirty Frag \u306f Copy Fail \u306e\u6559\u8a13\u3092\u691c\u8a3c\u3059\u308b\u5f8c\u7d9a\u4e8b\u4f8b\u3067\u3042\u308b<\/h2>\n

Dirty Frag \u306f\u3001\u5358\u72ec\u3067\u3082 Linux \u30ab\u30fc\u30cd\u30eb\u306e local privilege escalation \u3068\u3057\u3066\u8aac\u660e\u3067\u304d\u308b\u3002Tenable \u306f\u3001CVE-2026-43284 \u3068 CVE-2026-43500 \u3092\u3001Linux \u30ab\u30fc\u30cd\u30eb\u4e0a\u3067 root \u6a29\u9650\u53d6\u5f97\u3078\u81f3\u308a\u5f97\u308b chained vulnerabilities \u3068\u3057\u3066\u6574\u7406\u3057\u3066\u3044\u308b[5]<\/a>\u3002NVD \u3082\u3001CVE-2026-43284 \u3092 xfrm-ESP \u304c shared skb frags \u306b\u5bfe\u3057\u3066 in-place decrypt \u3092\u907f\u3051\u308b\u3079\u304d\u554f\u984c\u3068\u3057\u3066\u8aac\u660e\u3057\u3066\u3044\u308b[6]<\/a>\u3002\u3053\u306e\u7bc4\u56f2\u3060\u3051\u3092\u898b\u308c\u3070\u3001Dirty Frag \u306f xfrm-ESP \u3068 RxRPC \u306b\u95a2\u308f\u308b\u65b0\u3057\u3044 LPE \u3067\u3042\u308a\u3001Copy Fail \u3068\u306f\u5225\u306e CVE \u7fa4\u3067\u3042\u308b\u3002<\/p>\n

\u305d\u308c\u3067\u3082 Dirty Frag \u3092 Copy Fail \u306e\u5f8c\u7d9a\u4e8b\u4f8b\u3068\u3057\u3066\u8aad\u3080\u3079\u304d\u7406\u7531\u306f\u3001\u6642\u7cfb\u5217\u4e0a\u306e\u8fd1\u3055\u3084\u540d\u79f0\u306e\u985e\u4f3c\u3067\u306f\u306a\u3044\u3002\u91cd\u8981\u306a\u306e\u306f\u3001Copy Fail \u3067\u62bd\u51fa\u3055\u308c\u305f\u6559\u8a13\u304c\u3001\u5225\u306e\u30b5\u30d6\u30b7\u30b9\u30c6\u30e0\u3067\u3082\u6210\u7acb\u3059\u308b\u304b\u3069\u3046\u304b\u3092\u691c\u8a3c\u3067\u304d\u308b\u70b9\u3067\u3042\u308b\u3002Copy Fail \u3067\u554f\u984c\u306b\u306a\u3063\u305f\u306e\u306f\u3001algif_aead \u305d\u306e\u3082\u306e\u3067\u306f\u306a\u304f\u3001\u8aad\u307f\u53d6\u308a\u5c02\u7528\u7531\u6765\u306e page cache \u304c copy \u3055\u308c\u305a\u306b\u5225\u6587\u8108\u3078\u6e21\u3055\u308c\u3001\u5f8c\u6bb5\u3067\u51fa\u529b\u5148\u3068\u3057\u3066\u6271\u308f\u308c\u308b\u69cb\u9020\u3060\u3063\u305f\u3002Dirty Frag \u306f\u3001\u3053\u306e\u69cb\u9020\u304c crypto API \u306e\u5165\u53e3\u306b\u9589\u3058\u305a\u3001networking\u3001ESP\u3001RxRPC\u3001skb frag \u306e\u7d4c\u8def\u3067\u3082\u6210\u7acb\u3057\u5f97\u308b\u3053\u3068\u3092\u793a\u3057\u3066\u3044\u308b\u3002<\/p>\n

\u3053\u306e\u9055\u3044\u3092\u660e\u78ba\u306b\u3057\u306a\u3044\u3068\u3001Dirty Frag \u306f Copy Fail \u3068\u306f\u7121\u95a2\u4fc2\u306a\u5225\u4ef6\u306b\u3082\u3001\u9006\u306b Copy Fail \u306e\u5358\u306a\u308b\u713c\u304d\u76f4\u3057\u306b\u3082\u898b\u3048\u3066\u3057\u307e\u3046\u3002\u3069\u3061\u3089\u3082\u6b63\u78ba\u3067\u306f\u306a\u3044\u3002Copy Fail \u3068 Dirty Frag \u306f\u3001\u540c\u3058 CVE \u3067\u3082\u3001\u540c\u3058\u30e2\u30b8\u30e5\u30fc\u30eb\u306e\u554f\u984c\u3067\u3082\u3001\u540c\u3058\u66ab\u5b9a\u5bfe\u7b56\u3067\u51e6\u7406\u3067\u304d\u308b\u554f\u984c\u3067\u3082\u306a\u3044\u3002\u4e00\u65b9\u3067\u3001read-only file-backed shared page \u304c\u3001zero-copy \u3084 fragment \u8868\u73fe\u3092\u901a\u3058\u3066\u4e0b\u4f4d\u30ec\u30a4\u30e4\u30fc\u3078\u6e21\u308a\u3001in-place \u51e6\u7406\u3067 output \u5316\u3059\u308b\u3068\u3044\u3046\u62bd\u8c61\u6761\u4ef6\u306f\u5171\u901a\u3057\u3066\u3044\u308b\u3002\u3057\u305f\u304c\u3063\u3066\u3001\u6bd4\u8f03\u3059\u3079\u304d\u306a\u306e\u306f\u56fa\u6709\u540d\u8a5e\u3067\u306f\u306a\u304f\u3001\u4e0d\u5909\u6761\u4ef6\u306e\u7834\u308c\u3067\u3042\u308b\u3002<\/p>\n\n\n\n\n\n\n\n\n\n
\u89b3\u70b9<\/th>\nCopy Fail<\/th>\nDirty Frag<\/th>\n\u3053\u306e\u9055\u3044\u304c\u793a\u3059\u3053\u3068<\/th>\n<\/tr>\n<\/thead>\n
\u5165\u53e3<\/td>\nalgif_aead \u3068 scatterlist \u304c\u4e3b\u306a\u5165\u53e3\u306b\u306a\u308b\u3002<\/td>\nxfrm-ESP\u3001RxRPC\u3001skb frag \u304c\u4e3b\u306a\u5165\u53e3\u306b\u306a\u308b\u3002<\/td>\n\u5165\u53e3\u304c\u9055\u3046\u305f\u3081\u3001\u500b\u5225\u30e2\u30b8\u30e5\u30fc\u30eb\u5bfe\u7b56\u3060\u3051\u3067\u306f\u540c\u3058\u7cfb\u7d71\u306e\u554f\u984c\u3092\u5c01\u3058\u8fbc\u3081\u3089\u308c\u306a\u3044\u3002<\/td>\n<\/tr>\n
\u51e6\u7406\u9818\u57df<\/td>\n\u30ab\u30fc\u30cd\u30eb\u6697\u53f7 API \u306e in-place \u51e6\u7406\u304c\u554f\u984c\u306b\u306a\u308b\u3002<\/td>\n\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u51e6\u7406\u3001ESP\u3001RxRPC\u3001fragment handling \u304c\u554f\u984c\u306b\u306a\u308b\u3002<\/td>\n\u554f\u984c\u306f\u6697\u53f7 API \u56fa\u6709\u3067\u306f\u306a\u304f\u3001\u30c7\u30fc\u30bf\u3092 copy \u305b\u305a\u306b\u5225\u6587\u8108\u3078\u6e21\u3059\u51e6\u7406\u5168\u822c\u306b\u5e83\u304c\u308a\u5f97\u308b\u3002<\/td>\n<\/tr>\n
\u5171\u901a\u69cb\u9020<\/td>\n\u8aad\u307f\u53d6\u308a\u5c02\u7528\u7531\u6765\u306e page cache \u304c\u3001\u51fa\u529b\u5148\u3068\u3057\u3066\u6271\u308f\u308c\u5f97\u308b\u3002<\/td>\n\u8aad\u307f\u53d6\u308a\u5c02\u7528\u7531\u6765\u306e page cache \u304c\u3001shared skb frags \u7d4c\u7531\u3067 in-place \u51e6\u7406\u3055\u308c\u5f97\u308b\u3002<\/td>\n\u672c\u8cea\u306f\u3001\u8aad\u307f\u53d6\u308a\u5c02\u7528\u3068\u3044\u3046\u4e0a\u4f4d\u30ec\u30a4\u30e4\u30fc\u306e\u610f\u5473\u304c\u4e0b\u4f4d\u30ec\u30a4\u30e4\u30fc\u3067\u4fdd\u5b58\u3055\u308c\u306a\u3044\u3053\u3068\u306b\u3042\u308b\u3002<\/td>\n<\/tr>\n
\u66ab\u5b9a\u5bfe\u7b56<\/td>\nalgif_aead \u306e\u7121\u52b9\u5316\u304c\u4e00\u6642\u7684\u306a\u56de\u907f\u7b56\u306b\u306a\u308b\u3002<\/td>\nesp4\u3001esp6\u3001rxrpc \u306e\u7121\u52b9\u5316\u304c\u4e00\u6642\u7684\u306a\u56de\u907f\u7b56\u306b\u306a\u308b\u3002<\/td>\n\u7121\u52b9\u5316\u5bfe\u8c61\u306f\u5909\u308f\u308b\u305f\u3081\u3001\u66ab\u5b9a\u5bfe\u7b56\u306f\u4e0d\u5909\u539f\u7406\u3067\u306f\u306a\u304f\u6642\u9593\u7a3c\u304e\u3068\u3057\u3066\u7406\u89e3\u3059\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002<\/td>\n<\/tr>\n
\u6559\u8a13<\/td>\nalgif_aead \u306e\u4e8b\u6545\u3068\u3057\u3066\u3060\u3051\u8aad\u3080\u3068\u3001\u6559\u8a13\u306f\u72ed\u304f\u306a\u308b\u3002<\/td>\n\u5225\u5165\u53e3\u3067\u540c\u3058\u5371\u967a\u304c\u518d\u73fe\u3057\u305f\u3053\u3068\u3067\u3001\u6559\u8a13\u306e\u62bd\u8c61\u5ea6\u304c\u4e0a\u304c\u308b\u3002<\/td>\nDirty Frag \u306f Copy Fail \u306e\u6559\u8a13\u3092\u5426\u5b9a\u305b\u305a\u3001\u3088\u308a\u4e00\u822c\u7684\u306a\u610f\u5473\u4fdd\u5b58\u306e\u554f\u984c\u3068\u3057\u3066\u5f37\u5316\u3059\u308b\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u3053\u3053\u3067\u898b\u308b\u3079\u304d\u306a\u306e\u306f\u3001\u500b\u5225\u30e2\u30b8\u30e5\u30fc\u30eb\u540d\u3067\u306f\u306a\u304f\u3001\u62bd\u8c61\u5316\u3055\u308c\u305f\u4e0d\u5909\u6761\u4ef6\u3067\u3042\u308b\u3002Copy Fail \u3092 algif_aead \u306e\u4e8b\u6545\u3068\u3057\u3066\u3060\u3051\u8aad\u3080\u306a\u3089\u3001Dirty Frag \u306f\u5225\u4ef6\u306b\u898b\u3048\u308b\u3002\u3057\u304b\u3057 Copy Fail \u3092\u300c\u4e0a\u4f4d\u30ec\u30a4\u30e4\u30fc\u3067\u8aad\u307f\u53d6\u308a\u5c02\u7528\u3060\u3063\u305f page cache \u306e\u610f\u5473\u304c\u3001\u4e0b\u4f4d\u30ec\u30a4\u30e4\u30fc\u306e zero-copy \u3068 in-place \u51e6\u7406\u3067\u5931\u308f\u308c\u305f\u4e8b\u4f8b\u300d\u3068\u8aad\u3080\u306a\u3089\u3001Dirty Frag \u306f\u540c\u3058\u6559\u8a13\u3092\u5225\u306e\u5165\u53e3\u304b\u3089\u518d\u78ba\u8a8d\u3059\u308b\u4e8b\u4f8b\u306b\u306a\u308b\u3002<\/p>\n

\u3057\u305f\u304c\u3063\u3066\u3001\u7b2c 1 \u7ae0\u3067\u78ba\u8a8d\u3059\u3079\u304d\u3053\u3068\u306f\u3001Dirty Frag \u304c Copy Fail \u306e\u6d3e\u751f\u7269\u3067\u3042\u308b\u304b\u3069\u3046\u304b\u3067\u306f\u306a\u3044\u3002\u554f\u3046\u3079\u304d\u306a\u306e\u306f\u3001Copy Fail \u3067\u62bd\u51fa\u3057\u305f\u6559\u8a13\u304c\u3069\u306e\u62bd\u8c61\u5ea6\u3067\u6210\u7acb\u3059\u308b\u304b\u3067\u3042\u308b\u3002algif_aead \u3092\u7121\u52b9\u5316\u3059\u308b\u3068\u3044\u3046\u66ab\u5b9a\u5bfe\u7b56\u306f Dirty Frag \u306b\u306f\u901a\u7528\u3057\u306a\u3044\u3002\u3057\u304b\u3057\u3001\u8aad\u307f\u53d6\u308a\u5c02\u7528\u7531\u6765\u306e page cache \u3092\u3001\u610f\u5473\u3092\u4fdd\u6301\u3057\u306a\u3044\u307e\u307e\u5225\u30b5\u30d6\u30b7\u30b9\u30c6\u30e0\u3078\u6e21\u3057\u3001\u51fa\u529b\u5148\u3068\u3057\u3066\u6271\u3063\u3066\u306f\u306a\u3089\u306a\u3044\u3068\u3044\u3046\u539f\u7406\u306f\u3001Dirty Frag \u306b\u3088\u3063\u3066\u3080\u3057\u308d\u5f37\u5316\u3055\u308c\u308b\u3002<\/p>\n

\u3053\u306e\u610f\u5473\u3067 Dirty Frag \u306f\u3001Copy Fail \u306e\u5358\u306a\u308b\u7d9a\u5831\u3067\u306f\u306a\u3044\u3002Copy Fail \u3067\u898b\u3048\u305f\u554f\u984c\u304c\u3001\u500b\u5225\u30e2\u30b8\u30e5\u30fc\u30eb\u306e\u4e8b\u6545\u3067\u306f\u306a\u304f\u3001\u30ab\u30fc\u30cd\u30eb\u5185\u90e8\u306e\u610f\u5473\u4fdd\u5b58\u306b\u95a2\u308f\u308b\u3088\u308a\u5e83\u3044\u8a2d\u8a08\u554f\u984c\u3060\u3063\u305f\u3053\u3068\u3092\u793a\u3059\u691c\u8a3c\u4e8b\u4f8b\u3067\u3042\u308b\u3002\u672c\u7a3f\u3067\u306f Dirty Frag \u3092\u3001Copy Fail \u306e\u713c\u304d\u76f4\u3057\u3068\u3057\u3066\u3067\u306f\u306a\u304f\u3001Copy Fail \u306e\u6559\u8a13\u304c\u3069\u3053\u307e\u3067\u4e00\u822c\u5316\u3067\u304d\u308b\u304b\u3092\u78ba\u8a8d\u3059\u308b\u5f8c\u7d9a\u4e8b\u4f8b\u3068\u3057\u3066\u6271\u3046\u3002<\/p>\n

\n

2. Debian \u3068 Ubuntu \u306e\u5bfe\u5fdc\u5dee\u306f\u672c\u8cea\u3067\u306f\u306a\u3044<\/h2>\n

Dirty Frag \u3092\u904b\u7528\u4e0a\u3069\u3046\u6271\u3046\u304b\u3092\u8003\u3048\u308b\u3068\u304d\u3001Debian \u3068 Ubuntu \u306e\u5bfe\u5fdc\u5dee\u306f\u7121\u8996\u3067\u304d\u306a\u3044\u3002Debian Security Tracker \u3067\u306f\u3001CVE-2026-43284 \u306b\u3064\u3044\u3066\u3001MSG_SPLICE_PAGES \u304c pipe \u7531\u6765\u306e pages \u3092 skb \u306b\u76f4\u63a5 attach \u3067\u304d\u3001IPv4 \/ IPv6 datagram append paths \u304c UDP skbs \u306b splice pages \u3092\u5165\u308c\u308b\u969b\u306b shared frag \u3092\u793a\u3059 flag \u3092\u8a2d\u5b9a\u3057\u3066\u3044\u306a\u304b\u3063\u305f\u305f\u3081\u3001ESP input \u304c private copy \u3092\u4f5c\u3089\u305a in-place decrypt \u3057\u3066\u3057\u307e\u3046\u3001\u3068\u8aac\u660e\u3057\u3066\u3044\u308b[7]<\/a>\u3002\u3053\u306e\u8aac\u660e\u306f\u3001Dirty Frag \u306e\u6280\u8853\u7684\u672c\u8cea\u3092\u3088\u304f\u8868\u3057\u3066\u3044\u308b\u3002\u554f\u984c\u306f\u3001pipe \u7531\u6765\u306e page \u304c skb \u306b\u6e21\u3055\u308c\u305f\u3053\u3068\u81ea\u4f53\u3067\u306f\u306a\u3044\u3002\u5171\u6709\u3055\u308c\u3066\u3044\u308b\u53ef\u80fd\u6027\u306e\u3042\u308b page \u3067\u3042\u308b\u3068\u3044\u3046\u610f\u5473\u304c\u3001\u5f8c\u6bb5\u306e ESP \u51e6\u7406\u306b\u5341\u5206\u4f1d\u308f\u3089\u305a\u3001private copy \u3092\u4f5c\u308b\u3079\u304d\u5834\u9762\u3067 in-place decrypt \u304c\u884c\u308f\u308c\u305f\u70b9\u306b\u3042\u308b\u3002<\/p>\n

\u4e00\u65b9\u3001Ubuntu \u516c\u5f0f\u306f\u3001Dirty Frag \u306e\u7de9\u548c\u7b56\u3068\u3057\u3066 esp4\u3001esp6\u3001rxrpc \u306e\u30ed\u30fc\u30c9\u6291\u6b62\u3092\u6848\u5185\u3057\u3001IPsec ESP \u3084 AFS \/ RxRPC \u3092\u4f7f\u3046\u74b0\u5883\u3067\u306f\u6a5f\u80fd\u5f71\u97ff\u304c\u51fa\u308b\u3068\u8aac\u660e\u3057\u3066\u3044\u308b[8]<\/a>\u3002\u307e\u305f Ubuntu \u306e CVE \u30da\u30fc\u30b8\u3067\u306f\u3001CVE-2026-43284 \u3068 CVE-2026-43500 \u304c\u305d\u308c\u305e\u308c High priority \u3068\u3057\u3066\u6271\u308f\u308c\u3001\u4e3b\u8981 kernel packages \u306e\u8a55\u4fa1\u72b6\u6cc1\u304c\u793a\u3055\u308c\u3066\u3044\u308b[9]<\/a>[10]<\/a>\u3002\u3053\u3053\u3067\u91cd\u8981\u306a\u306e\u306f\u3001Ubuntu \u304c\u793a\u3057\u3066\u3044\u308b\u66ab\u5b9a\u7de9\u548c\u7b56\u304c Dirty Frag \u306e\u672c\u8cea\u3092\u6d88\u3059\u3082\u306e\u3067\u306f\u306a\u304f\u3001\u672a\u4fee\u6b63 kernel \u3092\u4f7f\u3044\u7d9a\u3051\u3056\u308b\u3092\u5f97\u306a\u3044\u671f\u9593\u306b\u3001\u5371\u967a\u306a\u5165\u53e3\u3092\u4e00\u6642\u7684\u306b\u9589\u3058\u308b\u305f\u3081\u306e\u63aa\u7f6e\u3067\u3042\u308b\u3068\u3044\u3046\u70b9\u3067\u3042\u308b\u3002<\/p>\n\n\n\n\n\n\n\n\n\n
\u89b3\u70b9<\/th>\nDebian<\/th>\nUbuntu<\/th>\n\u8aad\u307f\u53d6\u308b\u3079\u304d\u3053\u3068<\/th>\n<\/tr>\n<\/thead>\n
\u8aac\u660e\u306e\u91cd\u5fc3<\/td>\nMSG_SPLICE_PAGES\u3001pipe pages\u3001skb\u3001shared frag\u3001ESP input \u306e in-place decrypt \u3068\u3044\u3046\u5185\u90e8\u69cb\u9020\u3092\u4e2d\u5fc3\u306b\u8aac\u660e\u3057\u3066\u3044\u308b\u3002<\/td>\n\u5f71\u97ff\u3092\u53d7\u3051\u308b kernel packages\u3001High priority\u3001\u66ab\u5b9a\u7de9\u548c\u7b56\u3001\u30e2\u30b8\u30e5\u30fc\u30eb\u7121\u52b9\u5316\u3092\u4e2d\u5fc3\u306b\u8aac\u660e\u3057\u3066\u3044\u308b\u3002<\/td>\nDebian \u306f\u6280\u8853\u7684\u539f\u56e0\u306e\u8a18\u8ff0\u304c\u8aad\u307f\u3084\u3059\u304f\u3001Ubuntu \u306f\u904b\u7528\u4e0a\u306e\u7de9\u548c\u7b56\u304c\u8aad\u307f\u3084\u3059\u3044\u304c\u3001\u898b\u3066\u3044\u308b\u554f\u984c\u306f\u540c\u3058\u3067\u3042\u308b\u3002<\/td>\n<\/tr>\n
\u66ab\u5b9a\u5bfe\u7b56<\/td>\n\u4fee\u6b63\u6e08\u307f kernel \u3078\u306e\u66f4\u65b0\u3092\u524d\u63d0\u306b\u3001\u5bfe\u8c61 CVE \u3068\u4fee\u6b63\u72b6\u6cc1\u3092\u78ba\u8a8d\u3059\u308b\u6d41\u308c\u306b\u306a\u308b\u3002<\/td>\nesp4\u3001esp6\u3001rxrpc \u306e\u30ed\u30fc\u30c9\u6291\u6b62\u3092\u3001\u4fee\u6b63\u6e08\u307f kernel \u9069\u7528\u307e\u3067\u306e\u4e00\u6642\u7684\u306a\u7de9\u548c\u7b56\u3068\u3057\u3066\u6848\u5185\u3057\u3066\u3044\u308b\u3002<\/td>\n\u30e2\u30b8\u30e5\u30fc\u30eb\u7121\u52b9\u5316\u306f\u6839\u672c\u5bfe\u7b56\u3067\u306f\u306a\u304f\u3001\u4fee\u6b63\u7248 kernel \u3078\u79fb\u884c\u3059\u308b\u307e\u3067\u306e\u6642\u9593\u7a3c\u304e\u3067\u3042\u308b\u3002<\/td>\n<\/tr>\n
\u6a5f\u80fd\u5f71\u97ff<\/td>\n\u5bfe\u8c61 kernel \u306e\u66f4\u65b0\u3068\u518d\u8d77\u52d5\u304c\u4e2d\u5fc3\u306b\u306a\u308b\u305f\u3081\u3001\u4e3b\u306a\u5f71\u97ff\u306f\u30e1\u30f3\u30c6\u30ca\u30f3\u30b9\u6642\u9593\u3068\u518d\u8d77\u52d5\u8a08\u753b\u306b\u73fe\u308c\u308b\u3002<\/td>\nIPsec ESP\u3001AFS\u3001RxRPC \u3092\u4f7f\u3063\u3066\u3044\u308b\u74b0\u5883\u3067\u306f\u3001\u30e2\u30b8\u30e5\u30fc\u30eb\u7121\u52b9\u5316\u306b\u3088\u308b\u6a5f\u80fd\u5f71\u97ff\u304c\u51fa\u308b\u53ef\u80fd\u6027\u304c\u3042\u308b\u3002<\/td>\n\u66ab\u5b9a\u7de9\u548c\u7b56\u306f\u5e38\u306b\u5b89\u5168\u5074\u306e\u5358\u7d14\u64cd\u4f5c\u3067\u306f\u306a\u304f\u3001\u5229\u7528\u4e2d\u306e\u6a5f\u80fd\u3068\u306e\u885d\u7a81\u3092\u78ba\u8a8d\u3059\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002<\/td>\n<\/tr>\n
\u904b\u7528\u5224\u65ad<\/td>\nsecurity repository \u304b\u3089\u4fee\u6b63\u6e08\u307f kernel \u3092\u53d6\u5f97\u3057\u3001\u518d\u8d77\u52d5\u5f8c\u306b\u8d77\u52d5 kernel \u3092\u78ba\u8a8d\u3059\u308b\u5224\u65ad\u306b\u306a\u308b\u3002<\/td>\n\u4fee\u6b63\u6e08\u307f kernel \u306e\u63d0\u4f9b\u72b6\u6cc1\u3092\u78ba\u8a8d\u3057\u3001\u672a\u9069\u7528\u671f\u9593\u306f\u30e2\u30b8\u30e5\u30fc\u30eb\u7121\u52b9\u5316\u3001\u66f4\u65b0\u5f8c\u306f\u518d\u8d77\u52d5\u3068\u78ba\u8a8d\u3092\u884c\u3046\u5224\u65ad\u306b\u306a\u308b\u3002<\/td>\n\u3069\u3061\u3089\u3082\u6700\u7d42\u7684\u306b\u306f\u4fee\u6b63\u6e08\u307f kernel \u3067\u8d77\u52d5\u3057\u3066\u3044\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3057\u306a\u3051\u308c\u3070\u306a\u3089\u306a\u3044\u3002<\/td>\n<\/tr>\n
\u672c\u8cea\u3068\u306e\u95a2\u4fc2<\/td>\nshared frag \u306e\u610f\u5473\u304c\u4fdd\u5b58\u3055\u308c\u305a\u3001in-place decrypt \u306b\u9032\u3080\u69cb\u9020\u3092\u8aac\u660e\u3057\u3066\u3044\u308b\u3002<\/td>\n\u5371\u967a\u306a\u5165\u53e3\u3092\u4e00\u6642\u7684\u306b\u9589\u3058\u308b\u3053\u3068\u3067\u3001\u540c\u3058\u69cb\u9020\u3078\u5230\u9054\u3057\u306b\u304f\u304f\u3057\u3066\u3044\u308b\u3002<\/td>\n\u914d\u5e03\u904b\u7528\u3084\u8868\u8a18\u306f\u9055\u3063\u3066\u3082\u3001\u554f\u984c\u306e\u672c\u8cea\u306f page \u306e\u5171\u6709\u6027\u3068\u66f8\u304d\u8fbc\u307f\u53ef\u80fd\u6027\u306e\u610f\u5473\u4fdd\u5b58\u306b\u3042\u308b\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

AlmaLinux \u3084 Red Hat \u3082 Dirty Frag \u3092\u3001\u305d\u308c\u305e\u308c IPsec ESP \u5074\u3068 RxRPC \u5074\u306e\u554f\u984c\u3092\u542b\u3080 LPE \u3068\u3057\u3066\u6574\u7406\u3057\u3066\u3044\u308b[11]<\/a>[12]<\/a>\u3002\u3053\u3053\u304b\u3089\u8aad\u307f\u53d6\u308b\u3079\u304d\u306a\u306e\u306f\u3001\u30c7\u30a3\u30b9\u30c8\u30ea\u30d3\u30e5\u30fc\u30b7\u30e7\u30f3\u3054\u3068\u306e\u8868\u8a18\u3001\u544a\u77e5\u901f\u5ea6\u3001\u7de9\u548c\u7b56\u306e\u898b\u305b\u65b9\u306e\u5dee\u3067\u306f\u306a\u3044\u3002\u914d\u5e03\u904b\u7528\u306f\u9055\u3063\u3066\u3082\u3001\u554f\u984c\u306e\u4e2d\u5fc3\u306f\u3001copy \u3055\u308c\u305a\u306b\u6e21\u3055\u308c\u305f page \u306e\u5171\u6709\u6027\u3001\u66f8\u304d\u8fbc\u307f\u53ef\u80fd\u6027\u3001\u5165\u529b\u3068\u51fa\u529b\u306e\u65b9\u5411\u3001\u5f8c\u6bb5\u51e6\u7406\u3067\u306e\u6271\u3044\u304c\u6b63\u3057\u304f\u4fdd\u5b58\u3055\u308c\u306a\u304b\u3063\u305f\u3053\u3068\u306b\u3042\u308b\u3002<\/p>\n

\u3057\u305f\u304c\u3063\u3066\u3001Debian \u3068 Ubuntu \u306e\u5bfe\u5fdc\u5dee\u306f\u3001\u904b\u7528\u4e0a\u306f\u91cd\u8981\u3060\u304c\u3001\u8106\u5f31\u6027\u306e\u672c\u8cea\u3067\u306f\u306a\u3044\u3002Debian \u3067\u306f\u4fee\u6b63\u6e08\u307f kernel \u304c\u63d0\u4f9b\u3055\u308c\u3066\u3044\u308b\u304b\u3092\u78ba\u8a8d\u3057\u3001\u66f4\u65b0\u5f8c\u306b\u518d\u8d77\u52d5\u3057\u3066\u5b9f\u969b\u306e\u8d77\u52d5 kernel \u3092\u78ba\u8a8d\u3059\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002Ubuntu \u3067\u306f\u3001\u4fee\u6b63\u6e08\u307f kernel \u306e\u63d0\u4f9b\u72b6\u6cc1\u3092\u78ba\u8a8d\u3057\u3064\u3064\u3001\u672a\u4fee\u6b63\u671f\u9593\u306b\u306f esp4\u3001esp6\u3001rxrpc \u306e\u7121\u52b9\u5316\u304c\u66ab\u5b9a\u7de9\u548c\u7b56\u306b\u306a\u308b\u5834\u5408\u304c\u3042\u308b\u3002\u3057\u304b\u3057\u3001\u3069\u3061\u3089\u306e\u5834\u5408\u3067\u3082\u6700\u7d42\u7684\u306a\u5230\u9054\u70b9\u306f\u540c\u3058\u3067\u3042\u308b\u3002\u5371\u967a\u306a\u5165\u53e3\u3092\u4e00\u6642\u7684\u306b\u9589\u3058\u308b\u3060\u3051\u3067\u306f\u4e0d\u5341\u5206\u3067\u3042\u308a\u3001\u8106\u5f31\u306a\u51e6\u7406\u7d4c\u8def\u305d\u306e\u3082\u306e\u304c\u4fee\u6b63\u3055\u308c\u305f kernel \u306b\u66f4\u65b0\u3057\u3001\u305d\u306e kernel \u3067\u8d77\u52d5\u3057\u3066\u3044\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3057\u306a\u3051\u308c\u3070\u306a\u3089\u306a\u3044\u3002<\/p>\n

\n

3. Dirty Frag \u306f\u4fb5\u5165\u53e3\u3067\u306f\u306a\u304f\u5897\u5e45\u5668\u3067\u3042\u308b<\/h2>\n

Dirty Frag \u306f local privilege escalation \u3067\u3042\u308b\u3002Sophos \u306f\u3001Dirty Frag \u3092 xfrm-ESP \u3068 RxRPC subsystems \u306b\u95a2\u9023\u3059\u308b networking-related components \u306e improper handling of page cache operations \u306b\u3088\u308b LPE \u3068\u3057\u3066\u6574\u7406\u3057\u3001\u60aa\u7528\u306b\u306f local access \u304c\u5fc5\u8981\u3060\u3068\u8aac\u660e\u3057\u3066\u3044\u308b[13]<\/a>\u3002\u3053\u306e\u70b9\u306f\u3001\u8105\u5a01\u8a55\u4fa1\u306e\u51fa\u767a\u70b9\u3068\u3057\u3066\u91cd\u8981\u3067\u3042\u308b\u3002Dirty Frag \u306f\u3001\u5358\u72ec\u3067\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u8d8a\u3057\u306b\u4efb\u610f\u306e Linux \u30b5\u30fc\u30d0\u30fc\u3078\u4fb5\u5165\u3057\u3001\u76f4\u63a5 root \u3092\u53d6\u5f97\u3059\u308b\u8106\u5f31\u6027\u3067\u306f\u306a\u3044\u3002\u653b\u6483\u8005\u306f\u307e\u305a\u3001\u5bfe\u8c61\u30db\u30b9\u30c8\u4e0a\u3067\u4f55\u3089\u304b\u306e\u4f4e\u6a29\u9650\u30b3\u30fc\u30c9\u5b9f\u884c\u307e\u305f\u306f\u30ed\u30fc\u30ab\u30eb\u30a2\u30af\u30bb\u30b9\u3092\u5f97\u3066\u3044\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002<\/p>\n

\u3057\u304b\u3057\u3001\u3053\u306e\u9650\u5b9a\u306f\u8efd\u8996\u3092\u610f\u5473\u3057\u306a\u3044\u3002local access \u304c\u5fc5\u8981\u3067\u3042\u308b\u3053\u3068\u306f\u3001\u5b9f\u904b\u7528\u4e0a\u306e\u5371\u967a\u304c\u5c0f\u3055\u3044\u3053\u3068\u3068\u540c\u7fa9\u3067\u306f\u306a\u3044\u3002Elastic Security Labs \u306f\u3001Copy Fail \u3068 Dirty Frag \u3092\u3001legitimate kernel interfaces\u3001local execution\u3001\u77ed\u3044 proof-of-concept code \u306b\u3088\u3063\u3066 practical \u3067 reliable \u306a root path \u306b\u306a\u308b page cache corruption bugs \u3068\u3057\u3066\u6271\u3063\u3066\u3044\u308b[14]<\/a>\u3002\u3064\u307e\u308a\u3001Dirty Frag \u306e\u5371\u967a\u306f\u3001\u6700\u521d\u306e\u4fb5\u5165\u53e3\u306b\u306a\u308b\u3053\u3068\u3067\u306f\u306a\u304f\u3001\u3059\u3067\u306b\u5f97\u3089\u308c\u305f\u4f4e\u6a29\u9650\u5b9f\u884c\u3092 root \u6a29\u9650\u3078\u5897\u5e45\u3059\u308b\u3053\u3068\u306b\u3042\u308b\u3002<\/p>\n\n\n\n\n\n\n\n\n\n
\u4fb5\u5bb3\u306e\u5165\u53e3<\/th>\nDirty Frag \u3068\u306e\u95a2\u4fc2<\/th>\n\u554f\u984c\u306b\u306a\u308b\u7406\u7531<\/th>\n<\/tr>\n<\/thead>\n
SSH \u30a2\u30ab\u30a6\u30f3\u30c8<\/td>\n\u6f0f\u3048\u3044\u3057\u305f\u9375\u3001\u5f31\u3044\u30d1\u30b9\u30ef\u30fc\u30c9\u3001\u9000\u8077\u8005\u30a2\u30ab\u30a6\u30f3\u30c8\u3001\u5171\u6709\u30a2\u30ab\u30a6\u30f3\u30c8\u306a\u3069\u3067\u4f4e\u6a29\u9650\u30ed\u30b0\u30a4\u30f3\u3055\u308c\u305f\u5f8c\u306b\u4f7f\u308f\u308c\u5f97\u308b\u3002<\/td>\n\u672c\u6765\u306f\u4e00\u822c\u30e6\u30fc\u30b6\u30fc\u306b\u9589\u3058\u3066\u3044\u308b\u4fb5\u5bb3\u304c\u3001kernel LPE \u306b\u3088\u3063\u3066 root \u6a29\u9650\u3078\u62e1\u5927\u3059\u308b\u3002<\/td>\n<\/tr>\n
Web shell<\/td>\nWordPress\u3001CMS\u3001\u7ba1\u7406\u753b\u9762\u3001\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u6a5f\u80fd\u3001\u8106\u5f31\u306a\u30d7\u30e9\u30b0\u30a4\u30f3\u306a\u3069\u304b\u3089\u5f97\u305f Web \u30b5\u30fc\u30d0\u30fc\u30e6\u30fc\u30b6\u30fc\u6a29\u9650\u306e\u6b21\u6bb5\u968e\u3068\u3057\u3066\u4f7f\u308f\u308c\u5f97\u308b\u3002<\/td>\nwww-data \u306a\u3069\u306e\u9650\u5b9a\u7684\u306a\u6a29\u9650\u304c\u3001\u30b7\u30b9\u30c6\u30e0\u5168\u4f53\u306e\u5236\u5fa1\u6a29\u3078\u5909\u308f\u308b\u53ef\u80fd\u6027\u304c\u3042\u308b\u3002<\/td>\n<\/tr>\n
CI runner<\/td>\n\u30d3\u30eb\u30c9\u30b9\u30af\u30ea\u30d7\u30c8\u3001pull request\u3001\u4f9d\u5b58\u30d1\u30c3\u30b1\u30fc\u30b8\u3001secret \u306e\u6271\u3044\u3092\u901a\u3058\u3066\u4efb\u610f\u30b3\u30fc\u30c9\u5b9f\u884c\u3055\u308c\u305f runner \u4e0a\u3067\u4f7f\u308f\u308c\u5f97\u308b\u3002<\/td>\n\u4e00\u6642\u7684\u306a\u30d3\u30eb\u30c9\u74b0\u5883\u306e\u4fb5\u5bb3\u304c\u3001runner \u30db\u30b9\u30c8\u3084\u5171\u6709\u57fa\u76e4\u306e\u4fb5\u5bb3\u3078\u62e1\u5927\u3059\u308b\u53ef\u80fd\u6027\u304c\u3042\u308b\u3002<\/td>\n<\/tr>\n
\u30b3\u30f3\u30c6\u30ca\u5185\u30d7\u30ed\u30bb\u30b9<\/td>\n\u30b3\u30f3\u30c6\u30ca\u5185\u3067\u4f4e\u6a29\u9650\u30b3\u30fc\u30c9\u5b9f\u884c\u304c\u6210\u7acb\u3057\u305f\u5834\u5408\u3001\u30db\u30b9\u30c8\u30ab\u30fc\u30cd\u30eb\u3092\u5171\u6709\u3057\u3066\u3044\u308b\u305f\u3081\u3001\u6761\u4ef6\u6b21\u7b2c\u3067 LPE \u306e\u8db3\u5834\u306b\u306a\u308a\u5f97\u308b\u3002<\/td>\n\u30b3\u30f3\u30c6\u30ca\u5185\u306e\u6a29\u9650\u3068\u30db\u30b9\u30c8\u5074\u306e\u5b89\u5168\u6027\u3092\u6df7\u540c\u3059\u308b\u3068\u3001kernel LPE \u306e\u5f71\u97ff\u3092\u904e\u5c0f\u8a55\u4fa1\u3059\u308b\u3002<\/td>\n<\/tr>\n
\u4f4e\u6a29\u9650\u30b5\u30fc\u30d3\u30b9\u30a2\u30ab\u30a6\u30f3\u30c8<\/td>\n\u30d0\u30c3\u30c1\u51e6\u7406\u3001\u30ed\u30b0\u53ce\u96c6\u3001\u76e3\u8996\u30a8\u30fc\u30b8\u30a7\u30f3\u30c8\u3001\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u5c02\u7528\u30e6\u30fc\u30b6\u30fc\u306a\u3069\u306e\u6a29\u9650\u304b\u3089\u5229\u7528\u3055\u308c\u5f97\u308b\u3002<\/td>\n\u672c\u6765\u9650\u5b9a\u3055\u308c\u3066\u3044\u308b\u30b5\u30fc\u30d3\u30b9\u6a29\u9650\u304c\u3001root \u6a29\u9650\u306b\u8fd1\u3044\u7834\u58ca\u529b\u3092\u6301\u3064\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u3057\u305f\u304c\u3063\u3066\u3001Dirty Frag \u306e\u8105\u5a01\u8a55\u4fa1\u306f\u3001\u5358\u4f53\u3067\u306e remote exploitability \u3060\u3051\u3067\u884c\u3063\u3066\u306f\u306a\u3089\u306a\u3044\u3002Dirty Frag \u304c remote code execution \u3067\u306f\u306a\u3044\u3053\u3068\u306f\u4e8b\u5b9f\u3067\u3042\u308b\u3002\u3057\u304b\u3057\u3001\u73fe\u5b9f\u306e\u4fb5\u5bb3\u306f\u5358\u767a\u306e\u8106\u5f31\u6027\u3060\u3051\u3067\u5b8c\u7d50\u3057\u306a\u3044\u3002Web \u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306e\u4efb\u610f\u30b3\u30fc\u30c9\u5b9f\u884c\u3001\u6f0f\u3048\u3044\u3057\u305f SSH \u8a8d\u8a3c\u60c5\u5831\u3001CI \u306e\u8a2d\u5b9a\u4e0d\u5099\u3001\u4f9d\u5b58\u30d1\u30c3\u30b1\u30fc\u30b8\u7d4c\u7531\u306e\u30b3\u30fc\u30c9\u5b9f\u884c\u3001\u30b3\u30f3\u30c6\u30ca\u5185\u3067\u306e\u4fb5\u5bb3\u306a\u3069\u3001\u5225\u306e\u5165\u53e3\u304b\u3089\u4f4e\u6a29\u9650\u5b9f\u884c\u304c\u6210\u7acb\u3057\u305f\u3068\u304d\u3001Dirty Frag \u306f\u305d\u306e\u6a29\u9650\u3092 root \u3078\u5f15\u304d\u4e0a\u3052\u308b post-compromise risk \u306b\u306a\u308b\u3002<\/p>\n

\u3053\u306e\u610f\u5473\u3067\u3001Dirty Frag \u306f\u6249\u3067\u306f\u306a\u304f\u5897\u5e45\u5668\u3067\u3042\u308b\u3002\u6249\u3092\u958b\u3051\u308b\u8106\u5f31\u6027\u3067\u306f\u306a\u304f\u3001\u958b\u3044\u305f\u6249\u304b\u3089\u5165\u3063\u3066\u304d\u305f\u653b\u6483\u8005\u306b\u3001\u5efa\u7269\u5168\u4f53\u3092\u652f\u914d\u3059\u308b\u6a29\u9650\u3092\u4e0e\u3048\u308b\u8106\u5f31\u6027\u3067\u3042\u308b\u3002\u516c\u958b\u30b5\u30fc\u30d0\u30fc\u3001\u5171\u6709\u958b\u767a\u74b0\u5883\u3001CI \u57fa\u76e4\u3001\u30b3\u30f3\u30c6\u30ca\u30db\u30b9\u30c8\u3001\u8907\u6570\u30e6\u30fc\u30b6\u30fc\u304c\u30ed\u30b0\u30a4\u30f3\u3059\u308b\u30b5\u30fc\u30d0\u30fc\u3067\u306f\u3001\u3053\u306e\u7a2e\u306e LPE \u306f\u4fb5\u5165\u306e\u6709\u7121\u305d\u306e\u3082\u306e\u3067\u306f\u306a\u304f\u3001\u4fb5\u5165\u5f8c\u306e\u88ab\u5bb3\u7bc4\u56f2\u3092\u6c7a\u5b9a\u3059\u308b\u3002\u3057\u305f\u304c\u3063\u3066\u3001Dirty Frag \u306e\u512a\u5148\u5ea6\u306f\u300c\u5916\u90e8\u304b\u3089\u76f4\u63a5 exploit \u3067\u304d\u308b\u304b\u300d\u3067\u306f\u306a\u304f\u3001\u300c\u3053\u306e\u30db\u30b9\u30c8\u4e0a\u3067\u4f4e\u6a29\u9650\u30b3\u30fc\u30c9\u5b9f\u884c\u306b\u81f3\u308b\u7d4c\u8def\u304c\u73fe\u5b9f\u306b\u5b58\u5728\u3059\u308b\u304b\u300d\u306b\u3088\u3063\u3066\u8a55\u4fa1\u3059\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002<\/p>\n

\n

4. page cache \u6c5a\u67d3\u306f\u30c7\u30a3\u30b9\u30af\u6539\u3056\u3093\u3067\u306f\u306a\u3044<\/h2>\n

Dirty Frag \u3092\u7406\u89e3\u3059\u308b\u3046\u3048\u3067\u91cd\u8981\u306a\u306e\u306f\u3001\u653b\u6483\u5bfe\u8c61\u304c\u5fc5\u305a\u3057\u3082\u30c7\u30a3\u30b9\u30af\u4e0a\u306e\u30d5\u30a1\u30a4\u30eb\u305d\u306e\u3082\u306e\u3067\u306f\u306a\u3044\u3068\u3044\u3046\u70b9\u3067\u3042\u308b\u3002Qualys \u306f\u3001Dirty Frag exploit \u306f hard drive \u4e0a\u306e\u30d5\u30a1\u30a4\u30eb\u306b\u306f\u89e6\u308c\u305a\u3001\u30c7\u30a3\u30b9\u30af\u4e0a\u306e\u30cf\u30c3\u30b7\u30e5\u306b\u4f9d\u5b58\u3059\u308b\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30c4\u30fc\u30eb\u3067\u306f\u691c\u77e5\u3067\u304d\u306a\u3044\u53ef\u80fd\u6027\u304c\u3042\u308b\u3068\u8aac\u660e\u3057\u3066\u3044\u308b\u3002\u307e\u305f\u3001\u6c5a\u67d3\u3055\u308c\u305f cache \u306f drop_caches \u307e\u305f\u306f reboot \u307e\u3067\u6b8b\u308b\u3068\u3055\u308c\u308b[15]<\/a>\u3002\u3053\u308c\u306f\u3001Dirty Frag \u3092\u901a\u5e38\u306e\u30d5\u30a1\u30a4\u30eb\u6539\u3056\u3093\u3068\u533a\u5225\u3059\u308b\u6c7a\u5b9a\u7684\u306a\u70b9\u3067\u3042\u308b\u3002\u30d5\u30a1\u30a4\u30eb\u306e\u5b9f\u4f53\u304c\u5909\u308f\u3089\u306a\u304f\u3066\u3082\u3001\u5b9f\u884c\u6642\u306b\u53c2\u7167\u3055\u308c\u308b page cache \u304c\u5909\u308f\u308c\u3070\u3001\u30b7\u30b9\u30c6\u30e0\u304c\u8aad\u3080\u610f\u5473\u306f\u5909\u308f\u308b\u3002<\/p>\n

\u901a\u5e38\u3001\u30d5\u30a1\u30a4\u30eb\u6539\u3056\u3093\u3092\u8003\u3048\u308b\u3068\u304d\u306f\u3001\u30c7\u30a3\u30b9\u30af\u4e0a\u306e inode\u3001\u30d5\u30a1\u30a4\u30eb\u5185\u5bb9\u3001\u30cf\u30c3\u30b7\u30e5\u5024\u3001\u30d1\u30c3\u30b1\u30fc\u30b8\u6574\u5408\u6027\u3001\u5909\u66f4\u6642\u523b\u306a\u3069\u306b\u6ce8\u76ee\u3059\u308b\u3002\u3053\u308c\u306f\u591a\u304f\u306e\u5834\u5408\u306b\u6709\u52b9\u3067\u3042\u308b\u3002\u3057\u304b\u3057\u3001page cache \u6c5a\u67d3\u578b\u306e\u554f\u984c\u3067\u306f\u3001\u30c7\u30a3\u30b9\u30af\u4e0a\u306e\u30d5\u30a1\u30a4\u30eb\u304c\u7121\u50b7\u3067\u3042\u308b\u3053\u3068\u3068\u3001\u5b9f\u884c\u6642\u306b\u8aad\u307e\u308c\u308b\u5185\u5bb9\u304c\u7121\u50b7\u3067\u3042\u308b\u3053\u3068\u306f\u4e00\u81f4\u3057\u306a\u3044\u3002\u305f\u3068\u3048\u3070\u3001\u30c7\u30a3\u30b9\u30af\u4e0a\u306e \/usr\/bin\/su \u304c\u5909\u308f\u3089\u306a\u304f\u3066\u3082\u3001page cache \u4e0a\u3067\u305d\u306e\u5185\u5bb9\u304c\u5909\u308f\u308c\u3070\u3001\u5f8c\u7d9a\u306e\u5b9f\u884c\u6642\u306b\u53c2\u7167\u3055\u308c\u308b\u547d\u4ee4\u5217\u306f\u6c5a\u67d3\u6e08\u307f\u306b\u306a\u308a\u5f97\u308b\u3002\u540c\u3058\u3088\u3046\u306b\u3001\u8a8d\u8a3c\u51e6\u7406\u304c\u53c2\u7167\u3059\u308b\u30d5\u30a1\u30a4\u30eb\u3001\u5171\u6709\u30e9\u30a4\u30d6\u30e9\u30ea\u3001dynamic loader\u3001PAM \u95a2\u9023\u30d5\u30a1\u30a4\u30eb\u306a\u3069\u3082\u3001\u30c7\u30a3\u30b9\u30af\u4e0a\u3067\u306f\u6b63\u3057\u304f\u898b\u3048\u3066\u3082\u3001\u5b9f\u884c\u6642\u306b\u8aad\u307e\u308c\u308b cache \u304c\u6c5a\u67d3\u3055\u308c\u3066\u3044\u308c\u3070\u5b89\u5168\u3068\u306f\u8a00\u3048\u306a\u3044\u3002<\/p>\n\n\n\n\n\n\n\n\n\n
\u89b3\u70b9<\/th>\n\u901a\u5e38\u306e\u30c7\u30a3\u30b9\u30af\u6539\u3056\u3093<\/th>\npage cache \u6c5a\u67d3<\/th>\nDirty Frag \u3067\u554f\u984c\u306b\u306a\u308b\u7406\u7531<\/th>\n<\/tr>\n<\/thead>\n
\u6539\u3056\u3093\u5bfe\u8c61<\/td>\n\u30c7\u30a3\u30b9\u30af\u4e0a\u306e\u30d5\u30a1\u30a4\u30eb\u672c\u4f53\u304c\u5909\u66f4\u3055\u308c\u308b\u3002<\/td>\n\u30e1\u30e2\u30ea\u4e0a\u306e page cache \u304c\u5909\u66f4\u3055\u308c\u308b\u3002<\/td>\n\u30d5\u30a1\u30a4\u30eb\u672c\u4f53\u304c\u5909\u308f\u3063\u3066\u3044\u306a\u304f\u3066\u3082\u3001\u5b9f\u884c\u6642\u306b\u8aad\u307e\u308c\u308b\u5185\u5bb9\u304c\u5909\u308f\u308a\u5f97\u308b\u3002<\/td>\n<\/tr>\n
\u691c\u77e5\u65b9\u6cd5<\/td>\n\u30d5\u30a1\u30a4\u30eb\u30cf\u30c3\u30b7\u30e5\u3001\u30d1\u30c3\u30b1\u30fc\u30b8\u6574\u5408\u6027\u3001mtime\u3001\u76e3\u67fb\u30ed\u30b0\u306a\u3069\u3067\u691c\u77e5\u3057\u3084\u3059\u3044\u3002<\/td>\n\u30c7\u30a3\u30b9\u30af\u4e0a\u306e\u30cf\u30c3\u30b7\u30e5\u3060\u3051\u3067\u306f\u691c\u77e5\u3067\u304d\u306a\u3044\u53ef\u80fd\u6027\u304c\u3042\u308b\u3002<\/td>\n\u30c7\u30a3\u30b9\u30af\u6574\u5408\u6027\u3060\u3051\u3092\u898b\u3066\u3044\u308b\u3068\u3001\u5b9f\u884c\u6642\u306e\u6c5a\u67d3\u3092\u898b\u843d\u3068\u3059\u53ef\u80fd\u6027\u304c\u3042\u308b\u3002<\/td>\n<\/tr>\n
\u6301\u7d9a\u6027<\/td>\n\u30d5\u30a1\u30a4\u30eb\u3092\u623b\u3059\u307e\u3067\u6539\u3056\u3093\u304c\u6b8b\u308b\u3002<\/td>\ndrop_caches \u307e\u305f\u306f reboot \u307e\u3067\u6b8b\u308b\u5834\u5408\u304c\u3042\u308b\u3002<\/td>\n\u6c38\u7d9a\u6539\u3056\u3093\u3067\u306f\u306a\u3044\u304c\u3001\u77ed\u6642\u9593\u3067\u3082 root \u6587\u8108\u3067\u8aad\u307e\u308c\u308c\u3070 LPE \u306b\u5341\u5206\u3064\u306a\u304c\u308b\u3002<\/td>\n<\/tr>\n
\u898b\u304b\u3051\u4e0a\u306e\u72b6\u614b<\/td>\n\u30c7\u30a3\u30b9\u30af\u4e0a\u306e\u5185\u5bb9\u3068\u5b9f\u884c\u6642\u5185\u5bb9\u304c\u57fa\u672c\u7684\u306b\u4e00\u81f4\u3059\u308b\u3002<\/td>\n\u30c7\u30a3\u30b9\u30af\u4e0a\u306e\u5185\u5bb9\u3068\u5b9f\u884c\u6642\u306b\u8aad\u307e\u308c\u308b\u5185\u5bb9\u304c\u305a\u308c\u308b\u3002<\/td>\n\u7ba1\u7406\u8005\u304c\u30d5\u30a1\u30a4\u30eb\u3092\u78ba\u8a8d\u3057\u3066\u3082\u3001\u5b9f\u884c\u6642\u306e\u5b89\u5168\u6027\u3092\u78ba\u8a8d\u3057\u305f\u3053\u3068\u306b\u306f\u306a\u3089\u306a\u3044\u3002<\/td>\n<\/tr>\n
\u672c\u8cea<\/td>\n\u4fdd\u5b58\u3055\u308c\u3066\u3044\u308b byte \u5217\u306e\u6539\u3056\u3093\u3067\u3042\u308b\u3002<\/td>\n\u5b9f\u884c\u6642\u306b\u89e3\u91c8\u3055\u308c\u308b byte \u5217\u306e\u6539\u3056\u3093\u3067\u3042\u308b\u3002<\/td>\n\u554f\u984c\u306f\u4fdd\u5b58\u72b6\u614b\u3067\u306f\u306a\u304f\u3001\u5b9f\u884c\u6642\u610f\u5473\u304c\u6c5a\u67d3\u3055\u308c\u308b\u3053\u3068\u306b\u3042\u308b\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u3053\u306e\u305f\u3081\u3001Dirty Frag \u306e\u554f\u984c\u306f\u3001\u30c7\u30a3\u30b9\u30af\u6539\u3056\u3093\u3067\u306f\u306a\u304f\u5b9f\u884c\u6642\u610f\u5473\u306e\u6539\u3056\u3093\u3068\u3057\u3066\u6349\u3048\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002CPU \u304c\u5f8c\u3067\u8aad\u3080\u547d\u4ee4\u5217\u3001\u8a8d\u8a3c\u51e6\u7406\u304c\u53c2\u7167\u3059\u308b\u5185\u5bb9\u3001root \u6a29\u9650\u6587\u8108\u3067\u8aad\u307f\u8fbc\u307e\u308c\u308b\u30d5\u30a1\u30a4\u30eb\u306e\u5b9f\u884c\u6642\u8868\u73fe\u304c\u6c5a\u67d3\u3055\u308c\u308c\u3070\u3001\u30d5\u30a1\u30a4\u30eb\u30b7\u30b9\u30c6\u30e0\u4e0a\u306e\u5b9f\u4f53\u304c\u7121\u50b7\u306b\u898b\u3048\u3066\u3082\u3001\u30b7\u30b9\u30c6\u30e0\u306e\u632f\u308b\u821e\u3044\u306f\u3059\u3067\u306b\u5909\u308f\u3063\u3066\u3044\u308b\u3002\u3053\u3053\u3067\u58ca\u308c\u3066\u3044\u308b\u306e\u306f\u3001\u5358\u306a\u308b byte \u5217\u3067\u306f\u306a\u3044\u3002\u30c7\u30a3\u30b9\u30af\u4e0a\u306e\u5185\u5bb9\u3001page cache \u4e0a\u306e\u5185\u5bb9\u3001\u5b9f\u884c\u6642\u306b\u8aad\u307e\u308c\u308b\u5185\u5bb9\u306f\u540c\u3058\u3067\u3042\u308b\u306f\u305a\u3060\u3068\u3044\u3046\u524d\u63d0\u3067\u3042\u308b\u3002<\/p>\n

\u3053\u306e\u89b3\u70b9\u306f Copy Fail \u3067\u3082\u540c\u3058\u3060\u3063\u305f\u3002CERT-EU \u306f Copy Fail \u3092\u3001algif_aead \u306e in-place optimisation \u306b\u3088\u308a page-cache pages \u304c writable destination scatterlist \u306b\u7f6e\u304b\u308c\u5f97\u308b\u554f\u984c\u3068\u3057\u3066\u8aac\u660e\u3057\u3066\u3044\u308b[16]<\/a>\u3002NVD \u3082 Copy Fail \u3092 CISA KEV \u306b\u542b\u307e\u308c\u308b Linux Kernel Incorrect Resource Transfer Between Spheres Vulnerability \u3068\u3057\u3066\u6271\u3063\u3066\u3044\u308b[17]<\/a>\u3002\u3064\u307e\u308a\u3001Copy Fail \u3067\u3082 Dirty Frag \u3067\u3082\u3001\u554f\u984c\u306f\u300c\u30d5\u30a1\u30a4\u30eb\u3092\u66f8\u304d\u63db\u3048\u305f\u304b\u300d\u3067\u306f\u306a\u304f\u3001\u300c\u8aad\u307f\u53d6\u308a\u5c02\u7528\u7531\u6765\u306e page cache \u304c\u3001\u5225\u6587\u8108\u3067\u66f8\u304d\u8fbc\u307f\u5bfe\u8c61\u3068\u3057\u3066\u6271\u308f\u308c\u305f\u304b\u300d\u3067\u3042\u308b\u3002<\/p>\n

\u3057\u305f\u304c\u3063\u3066\u3001Dirty Frag \u306f Copy Fail \u3068\u540c\u3058\u7a2e\u985e\u306e\u5b9f\u884c\u6642\u610f\u5473\u6c5a\u67d3\u3092\u3001\u5225\u306e\u5165\u53e3\u304b\u3089\u518d\u73fe\u3057\u305f\u4e8b\u4f8b\u3067\u3042\u308b\u3002Copy Fail \u3067\u306f algif_aead \u3068 scatterlist \u304c\u5165\u53e3\u306b\u306a\u308a\u3001Dirty Frag \u3067\u306f xfrm-ESP\u3001RxRPC\u3001skb frag \u304c\u5165\u53e3\u306b\u306a\u308b\u3002\u5165\u53e3\u306f\u5909\u308f\u308b\u3002\u3057\u304b\u3057\u3001\u30c7\u30a3\u30b9\u30af\u4e0a\u3067\u306f\u8aad\u307f\u53d6\u308a\u5c02\u7528\u3067\u3042\u308b\u306f\u305a\u306e\u5185\u5bb9\u304c\u3001page cache \u4e0a\u3067\u306f\u66f8\u304d\u63db\u3048\u3089\u308c\u3001\u5f8c\u3067\u9ad8\u6a29\u9650\u6587\u8108\u306b\u8aad\u307e\u308c\u308b\u53ef\u80fd\u6027\u304c\u3042\u308b\u3068\u3044\u3046\u69cb\u9020\u306f\u5909\u308f\u3089\u306a\u3044\u3002\u3053\u306e\u69cb\u9020\u3092\u898b\u306a\u3051\u308c\u3070\u3001Dirty Frag \u3092\u5358\u306a\u308b\u65b0\u3057\u3044 LPE \u3068\u3057\u3066\u904e\u5c0f\u8a55\u4fa1\u3059\u308b\u3053\u3068\u306b\u306a\u308b\u3002<\/p>\n

\n

5. Copy Fail \u3068 Dirty Frag \u306e\u5171\u901a\u70b9<\/h2>\n

Copy Fail \u3068 Dirty Frag \u306e\u5171\u901a\u70b9\u306f\u3001\u540c\u3058\u30e2\u30b8\u30e5\u30fc\u30eb\u3067\u8d77\u304d\u305f\u3053\u3068\u3067\u306f\u306a\u3044\u3002Copy Fail \u306f algif_aead \u3068 scatterlist \u306e\u7d4c\u8def\u3067\u554f\u984c\u5316\u3057\u3001Dirty Frag \u306f xfrm-ESP\u3001RxRPC\u3001skb frag \u306e\u7d4c\u8def\u3067\u554f\u984c\u5316\u3059\u308b\u3002\u5165\u53e3\u3082\u51e6\u7406\u9818\u57df\u3082\u7570\u306a\u308b\u3002\u305d\u308c\u3067\u3082\u4e21\u8005\u3092\u540c\u3058\u7cfb\u5217\u3068\u3057\u3066\u8aad\u3080\u3079\u304d\u306a\u306e\u306f\u3001\u3069\u3061\u3089\u3082\u300c\u8aad\u307f\u53d6\u308a\u53ef\u80fd\u3067\u3042\u308b\u3053\u3068\u300d\u304c\u3001\u30ab\u30fc\u30cd\u30eb\u5185\u90e8\u306e page \u5171\u6709\u3068 in-place \u51e6\u7406\u3092\u901a\u3058\u3066\u3001\u5b9f\u8cea\u7684\u306a\u66f8\u304d\u63db\u3048\u80fd\u529b\u3078\u5909\u8cea\u3059\u308b\u69cb\u9020\u3092\u6301\u3064\u304b\u3089\u3067\u3042\u308b\u3002Microsoft \u306f Copy Fail \u306b\u3064\u3044\u3066\u3001unprivileged user \u304c readable file \u306e cache \u3092 corrupt \u3067\u304d\u3001setuid binaries \u3092\u542b\u3080 readable files \u306e cache corruption \u304c root privilege \u3067\u306e code execution \u306b\u3064\u306a\u304c\u308a\u5f97\u308b\u3068\u8aac\u660e\u3057\u3066\u3044\u308b[18]<\/a>\u3002<\/p>\n

\u4e00\u822c\u30e6\u30fc\u30b6\u30fc\u304c setuid root \u30d0\u30a4\u30ca\u30ea\u3092\u8aad\u3081\u308b\u3053\u3068\u306f\u7570\u5e38\u3067\u306f\u306a\u3044\u3002\/usr\/bin\/su \u3084 sudo\u3001\u5171\u6709\u30e9\u30a4\u30d6\u30e9\u30ea\u3001dynamic loader\u3001PAM \u95a2\u9023\u30d5\u30a1\u30a4\u30eb\u306a\u3069\u306f\u3001\u5b9f\u884c\u3084\u53c2\u7167\u306e\u305f\u3081\u306b\u4e00\u822c\u30e6\u30fc\u30b6\u30fc\u304b\u3089\u8aad\u3081\u308b\u5834\u5408\u304c\u3042\u308b\u3002\u3057\u304b\u3057\u3001\u8aad\u3081\u308b\u3053\u3068\u3068\u66f8\u3051\u308b\u3053\u3068\u306f\u672c\u6765\u307e\u3063\u305f\u304f\u9055\u3046\u3002\u554f\u984c\u306f\u3001\u305d\u306e\u8aad\u307f\u53d6\u308a\u5bfe\u8c61\u306e page cache \u304c\u3001\u30ab\u30fc\u30cd\u30eb\u5185\u90e8\u3067\u5225\u306e\u51e6\u7406\u6587\u8108\u306b\u6e21\u3055\u308c\u3001\u5f8c\u6bb5\u3067\u51fa\u529b\u5148\u307e\u305f\u306f\u4f5c\u696d\u9818\u57df\u3068\u3057\u3066\u6271\u308f\u308c\u308b\u3053\u3068\u3067\u3042\u308b\u3002\u30d5\u30a1\u30a4\u30eb\u30b7\u30b9\u30c6\u30e0\u6587\u8108\u3067\u306f\u300c\u8aad\u3081\u308b\u304c\u66f8\u3051\u306a\u3044\u300d page \u304c\u3001\u6697\u53f7\u51e6\u7406\u3084\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u51e6\u7406\u306e\u6587\u8108\u3067\u306f\u5358\u306a\u308b page pointer\u3001scatterlist entry\u3001skb frag \u3068\u3057\u3066\u6271\u308f\u308c\u308b\u3002\u305d\u306e\u77ac\u9593\u3001\u8aad\u307f\u53d6\u308a\u5c02\u7528\u3068\u3044\u3046\u4e0a\u4f4d\u30ec\u30a4\u30e4\u30fc\u306e\u610f\u5473\u304c\u5931\u308f\u308c\u308b\u3002<\/p>\n\n\n\n\n\n\n\n\n\n\n
\u5171\u901a\u69cb\u9020<\/th>\nCopy Fail \u3067\u306e\u73fe\u308c\u65b9<\/th>\nDirty Frag \u3067\u306e\u73fe\u308c\u65b9<\/th>\n\u672c\u8cea\u7684\u306a\u610f\u5473<\/th>\n<\/tr>\n<\/thead>\n
\u8aad\u307f\u53d6\u308a\u53ef\u80fd\u306a file-backed page \u304c\u95a2\u4e0e\u3059\u308b\u3002<\/td>\n\u653b\u6483\u8005\u306f\u901a\u5e38\u306e\u8aad\u307f\u53d6\u308a\u6a29\u9650\u3067\u5bfe\u8c61\u30d5\u30a1\u30a4\u30eb\u7531\u6765\u306e page cache \u306b\u5230\u9054\u3059\u308b\u3002<\/td>\n\u653b\u6483\u8005\u306f pipe \u3084 skb \u3092\u7d4c\u7531\u3057\u3066\u3001\u8aad\u307f\u53d6\u308a\u5c02\u7528\u7531\u6765\u306e page \u3092\u5f8c\u6bb5\u51e6\u7406\u3078\u5230\u9054\u3055\u305b\u308b\u3002<\/td>\n\u8aad\u307f\u53d6\u308a\u6a29\u9650\u3060\u3051\u3067\u5230\u9054\u3067\u304d\u308b page \u304c\u3001\u66f8\u304d\u63db\u3048\u53ef\u80fd\u306a\u4f5c\u696d\u5bfe\u8c61\u3078\u5909\u8cea\u3059\u308b\u3053\u3068\u304c\u554f\u984c\u3067\u3042\u308b\u3002<\/td>\n<\/tr>\n
copy \u3055\u308c\u305a\u306b\u5225\u7d4c\u8def\u3078\u6e21\u308b\u3002<\/td>\nsplice \u3084 scatterlist \u306b\u3088\u308a\u3001byte \u5217\u306e\u30b3\u30d4\u30fc\u3067\u306f\u306a\u304f page \u53c2\u7167\u304c\u6697\u53f7\u51e6\u7406\u3078\u6e21\u308b\u3002<\/td>\nMSG_SPLICE_PAGES\u3001pipe pages\u3001skb frag \u306a\u3069\u306b\u3088\u308a\u3001page \u53c2\u7167\u304c\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u51e6\u7406\u3078\u6e21\u308b\u3002<\/td>\ncopy \u3057\u306a\u3044\u6700\u9069\u5316\u306f\u6027\u80fd\u4e0a\u6709\u52b9\u3060\u304c\u3001page \u306e\u7531\u6765\u3001\u5171\u6709\u6027\u3001\u66f8\u304d\u8fbc\u307f\u53ef\u5426\u3092\u4fdd\u6301\u3067\u304d\u306a\u3051\u308c\u3070\u5371\u967a\u306b\u306a\u308b\u3002<\/td>\n<\/tr>\n
\u5f8c\u6bb5\u51e6\u7406\u304c in-place \u306b\u6271\u3046\u3002<\/td>\nAEAD \u51e6\u7406\u304c\u5165\u529b page \u3092 writable destination scatterlist \u3068\u3057\u3066\u6271\u3044\u5f97\u308b\u3002<\/td>\nESP input \u306a\u3069\u304c shared skb frags \u306b\u5bfe\u3057\u3066 private copy \u3092\u4f5c\u3089\u305a in-place \u51e6\u7406\u3057\u5f97\u308b\u3002<\/td>\n\u5165\u529b\u3068\u3057\u3066\u6e21\u3055\u308c\u305f page \u304c\u51fa\u529b\u5148\u3068\u3057\u3066\u6271\u308f\u308c\u308b\u3068\u3001\u8aad\u307f\u53d6\u308a\u5c02\u7528\u3068\u3044\u3046\u610f\u5473\u304c\u5d29\u308c\u308b\u3002<\/td>\n<\/tr>\n
\u5171\u6709 page cache \u304c\u6c5a\u67d3\u3055\u308c\u308b\u3002<\/td>\n\u8aad\u307f\u53d6\u308a\u5c02\u7528\u30d5\u30a1\u30a4\u30eb\u7531\u6765\u306e page cache \u304c\u6697\u53f7\u51e6\u7406\u7d4c\u8def\u3067\u6c5a\u67d3\u3055\u308c\u5f97\u308b\u3002<\/td>\n\u8aad\u307f\u53d6\u308a\u5c02\u7528\u30d5\u30a1\u30a4\u30eb\u7531\u6765\u306e page cache \u304c\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u51e6\u7406\u7d4c\u8def\u3067\u6c5a\u67d3\u3055\u308c\u5f97\u308b\u3002<\/td>\n\u30c7\u30a3\u30b9\u30af\u4e0a\u306e\u30d5\u30a1\u30a4\u30eb\u3067\u306f\u306a\u304f\u3001\u5b9f\u884c\u6642\u306b\u8aad\u307e\u308c\u308b\u30e1\u30e2\u30ea\u4e0a\u306e\u5185\u5bb9\u304c\u5909\u308f\u308b\u3002<\/td>\n<\/tr>\n
root \u6587\u8108\u3067\u518d\u5229\u7528\u3055\u308c\u308b\u3002<\/td>\n\u6c5a\u67d3\u3055\u308c\u305f setuid binary \u306a\u3069\u304c root \u6a29\u9650\u6587\u8108\u3067\u5b9f\u884c\u3055\u308c\u308b\u53ef\u80fd\u6027\u304c\u3042\u308b\u3002<\/td>\n\u6c5a\u67d3\u3055\u308c\u305f page cache \u304c\u3001\u8a8d\u8a3c\u51e6\u7406\u3001setuid \u5b9f\u884c\u3001\u5171\u6709\u30e9\u30a4\u30d6\u30e9\u30ea\u8aad\u307f\u8fbc\u307f\u306a\u3069\u306e\u9ad8\u6a29\u9650\u6587\u8108\u3067\u8aad\u307e\u308c\u5f97\u308b\u3002<\/td>\n\u4f4e\u6a29\u9650\u30e6\u30fc\u30b6\u30fc\u306e\u8aad\u307f\u53d6\u308a\u64cd\u4f5c\u304c\u3001\u5f8c\u7d9a\u306e root \u6a29\u9650\u5b9f\u884c\u306b\u5f71\u97ff\u3059\u308b\u7d4c\u8def\u3092\u4f5c\u308b\u3002<\/td>\n<\/tr>\n
\u30c7\u30a3\u30b9\u30af\u4e0a\u306e\u5909\u66f4\u3067\u306f\u306a\u3044\u3002<\/td>\n\u30d5\u30a1\u30a4\u30eb\u672c\u4f53\u3092\u6539\u3056\u3093\u3057\u306a\u304f\u3066\u3082\u3001page cache \u306e\u5185\u5bb9\u3092\u901a\u3058\u3066\u5b9f\u884c\u6642\u306e\u610f\u5473\u304c\u5909\u308f\u308a\u5f97\u308b\u3002<\/td>\n\u30d5\u30a1\u30a4\u30eb\u672c\u4f53\u3092\u6539\u3056\u3093\u3057\u306a\u304f\u3066\u3082\u3001cache \u304c drop \u3055\u308c\u308b\u304b reboot \u3055\u308c\u308b\u307e\u3067\u5b9f\u884c\u6642\u6c5a\u67d3\u304c\u6b8b\u308a\u5f97\u308b\u3002<\/td>\n\u30d5\u30a1\u30a4\u30eb\u30cf\u30c3\u30b7\u30e5\u3084\u30d1\u30c3\u30b1\u30fc\u30b8\u6574\u5408\u6027\u3060\u3051\u3067\u306f\u3001\u5b9f\u884c\u6642\u306e\u5b89\u5168\u6027\u3092\u78ba\u8a8d\u3057\u305f\u3053\u3068\u306b\u306a\u3089\u306a\u3044\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u3053\u306e\u4e00\u89a7\u304b\u3089\u5206\u304b\u308b\u3088\u3046\u306b\u3001Copy Fail \u3068 Dirty Frag \u306e\u5171\u901a\u70b9\u306f\u3001\u500b\u5225\u30e2\u30b8\u30e5\u30fc\u30eb\u540d\u3067\u306f\u306a\u304f\u3001\u4e0a\u4f4d\u30ec\u30a4\u30e4\u30fc\u306e\u610f\u5473\u304c\u4e0b\u4f4d\u30ec\u30a4\u30e4\u30fc\u3067\u5931\u308f\u308c\u308b\u3053\u3068\u306b\u3042\u308b\u3002\u30d5\u30a1\u30a4\u30eb\u30b7\u30b9\u30c6\u30e0\u306f\u3001\u305d\u306e page \u3092\u300c\u8aad\u307f\u53d6\u308a\u5c02\u7528\u30d5\u30a1\u30a4\u30eb\u7531\u6765\u306e page cache\u300d\u3068\u3057\u3066\u6271\u3063\u3066\u3044\u308b\u3002\u30e1\u30e2\u30ea\u7ba1\u7406\u306f\u3001\u305d\u308c\u3092 file-backed shared page \u3068\u3057\u3066\u6271\u3063\u3066\u3044\u308b\u3002\u3068\u3053\u308d\u304c\u3001\u51e6\u7406\u7d4c\u8def\u3092\u4e0b\u308b\u3068\u3001\u305d\u308c\u306f pipe buffer\u3001scatterlist entry\u3001skb frag\u3001crypto buffer\u3001network payload \u306e\u3088\u3046\u306a\u5225\u306e\u8868\u73fe\u3078\u5909\u63db\u3055\u308c\u308b\u3002\u3053\u306e\u5909\u63db\u306e\u9014\u4e2d\u3067\u3001\u300c\u8aad\u3081\u308b\u304c\u66f8\u3051\u306a\u3044\u300d\u300c\u5165\u529b\u3067\u3042\u308b\u300d\u300c\u5171\u6709 page cache \u3067\u3042\u308b\u300d\u300c\u5f8c\u3067 root \u6587\u8108\u3067\u8aad\u307e\u308c\u5f97\u308b\u300d\u3068\u3044\u3046\u610f\u5473\u304c\u4fdd\u5b58\u3055\u308c\u306a\u3051\u308c\u3070\u3001\u4f4e\u6a29\u9650\u30e6\u30fc\u30b6\u30fc\u306e\u8aad\u307f\u53d6\u308a\u304c\u5b9f\u8cea\u7684\u306a\u66f8\u304d\u63db\u3048\u80fd\u529b\u3078\u5909\u308f\u308b\u3002<\/p>\n

\u3057\u305f\u304c\u3063\u3066\u3001Copy Fail \u3068 Dirty Frag \u3092\u540c\u3058\u7cfb\u5217\u3068\u3057\u3066\u8aad\u3080\u7406\u7531\u306f\u3001\u3069\u3061\u3089\u3082 page cache \u3092\u76f4\u63a5\u6271\u3046\u304b\u3089\u3001\u3068\u3044\u3046\u3060\u3051\u3067\u306f\u306a\u3044\u3002\u3088\u308a\u6b63\u78ba\u306b\u306f\u3001\u3069\u3061\u3089\u3082\u300c\u8aad\u307f\u53d6\u308a\u5c02\u7528\u306e\u610f\u5473\u3092\u6301\u3064 page \u304c\u3001copy \u3055\u308c\u305a\u306b\u5225\u30b5\u30d6\u30b7\u30b9\u30c6\u30e0\u3078\u6e21\u3055\u308c\u3001\u305d\u3053\u3067\u51fa\u529b\u5148\u307e\u305f\u306f\u4f5c\u696d\u9818\u57df\u3068\u3057\u3066\u6271\u308f\u308c\u308b\u300d\u3068\u3044\u3046\u4e0d\u5909\u6761\u4ef6\u9055\u53cd\u3092\u542b\u3093\u3067\u3044\u308b\u304b\u3089\u3067\u3042\u308b\u3002\u5165\u53e3\u304c algif_aead \u3067\u3042\u3063\u3066\u3082\u3001xfrm-ESP \u3067\u3042\u3063\u3066\u3082\u3001RxRPC \u3067\u3042\u3063\u3066\u3082\u3001\u3053\u306e\u4e0d\u5909\u6761\u4ef6\u304c\u58ca\u308c\u308c\u3070\u3001\u7d50\u679c\u3068\u3057\u3066\u540c\u3058\u7a2e\u985e\u306e\u5b9f\u884c\u6642\u610f\u5473\u6c5a\u67d3\u304c\u8d77\u304d\u308b\u3002<\/p>\n

\u3053\u306e\u610f\u5473\u3067\u3001\u5171\u901a\u70b9\u306f\u6280\u8853\u90e8\u54c1\u306e\u4e00\u81f4\u3067\u306f\u306a\u304f\u3001\u610f\u5473\u4fdd\u5b58\u306e\u5931\u6557\u3067\u3042\u308b\u3002Copy Fail \u306f\u6697\u53f7\u51e6\u7406\u5074\u3067\u305d\u308c\u3092\u793a\u3057\u3001Dirty Frag \u306f\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u51e6\u7406\u5074\u3067\u305d\u308c\u3092\u793a\u3057\u305f\u3002\u4e21\u8005\u3092\u4e26\u3079\u3066\u8aad\u3080\u3053\u3068\u3067\u3001\u554f\u984c\u304c\u7279\u5b9a API \u306e\u4e8b\u6545\u3067\u306f\u306a\u304f\u3001zero-copy\u3001fragment \u8868\u73fe\u3001in-place \u51e6\u7406\u3001page cache \u5171\u6709\u304c\u4ea4\u5dee\u3059\u308b\u5834\u6240\u306b\u6f5c\u3080\u69cb\u9020\u7684\u306a\u5371\u967a\u3067\u3042\u308b\u3053\u3068\u304c\u898b\u3048\u3066\u304f\u308b\u3002<\/p>\n

\n

6. Copy Fail \u3068 Dirty Frag \u306e\u76f8\u9055\u70b9<\/h2>\n

Copy Fail \u3068 Dirty Frag \u306f\u540c\u3058\u4e0d\u5909\u6761\u4ef6\u9055\u53cd\u3068\u3057\u3066\u8aad\u3081\u308b\u304c\u3001\u540c\u3058\u8106\u5f31\u6027\u3067\u306f\u306a\u3044\u3002\u76f8\u9055\u70b9\u306f\u3001\u5165\u53e3\u3001\u51e6\u7406\u9818\u57df\u3001\u5185\u90e8\u8868\u73fe\u3001\u66ab\u5b9a\u5bfe\u7b56\u306b\u3042\u308b\u3002Copy Fail \u306f AF_ALG \/ algif_aead \/ AEAD socket interface \u304c\u5165\u53e3\u3060\u3063\u305f\u3002Cloudflare \u306f Copy Fail \u5bfe\u5fdc\u8a18\u4e8b\u3067\u3001AF_ALG \u3068 kernel crypto API\u3001AEAD\u3001algif_aead \u306e\u95a2\u4fc2\u3092\u5b9f\u52d9\u7684\u306b\u6574\u7406\u3057\u3066\u3044\u308b[19]<\/a>\u3002Linux Kernel Documentation \u3082\u3001AF_ALG \u306b\u3088\u3063\u3066 user space \u304b\u3089 kernel crypto API \u306b\u30a2\u30af\u30bb\u30b9\u3067\u304d\u3001AEAD ciphers \u3082\u5bfe\u8c61\u306b\u542b\u307e\u308c\u308b\u3068\u8aac\u660e\u3057\u3066\u3044\u308b[20]<\/a>\u3002\u3064\u307e\u308a\u3001Copy Fail \u306f user space \u304b\u3089 kernel crypto API \u3092\u4f7f\u3046\u7d4c\u8def\u306b\u304a\u3044\u3066\u3001\u8aad\u307f\u53d6\u308a\u5c02\u7528\u7531\u6765\u306e page cache \u304c\u6697\u53f7\u51e6\u7406\u306e\u5165\u51fa\u529b\u5883\u754c\u3067\u8aa4\u3063\u3066\u6271\u308f\u308c\u305f\u4e8b\u4f8b\u3067\u3042\u308b\u3002<\/p>\n

Dirty Frag \u3067\u306f\u5165\u53e3\u304c xfrm-ESP \u3068 RxRPC \u306b\u79fb\u308b\u3002Linux Kernel Documentation \u306f\u3001RxRPC \u3092 UDP \u4e0a\u3067\u4fe1\u983c\u6027\u306e\u3042\u308b two-phase transport \u3092\u63d0\u4f9b\u3057\u3001AF_RXRPC family \u306e sockets \u306b\u3088\u3063\u3066 sendmsg \u3068 recvmsg \u3092\u884c\u3046 protocol driver \u3068\u8aac\u660e\u3057\u3066\u3044\u308b[21]<\/a>\u3002Ubuntu \u306e rxrpc(7) \u3082\u3001RxRPC \u304c AFS network filesystem \u3067\u4f7f\u308f\u308c\u308b transport protocol \u3067\u3042\u308b\u3068\u8aac\u660e\u3057\u3066\u3044\u308b[22]<\/a>\u3002\u3053\u3053\u3067\u554f\u984c\u306b\u306a\u308b\u306e\u306f\u3001\u6697\u53f7 API \u305d\u306e\u3082\u306e\u3067\u306f\u306a\u304f\u3001networking\u3001ESP\u3001RxRPC\u3001skb frag\u3001shared frag\u3001fragment handling \u306e\u5074\u3067\u3042\u308b\u3002\u3057\u305f\u304c\u3063\u3066\u3001Dirty Frag \u306f Copy Fail \u3068\u540c\u3058\u73fe\u8c61\u3092\u5225\u30e2\u30b8\u30e5\u30fc\u30eb\u3067\u7e70\u308a\u8fd4\u3057\u305f\u3060\u3051\u3067\u306f\u306a\u304f\u3001\u540c\u3058\u5371\u967a\u304c crypto API \u306e\u5916\u5074\u3001\u3059\u306a\u308f\u3061\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u51e6\u7406\u3068\u30d5\u30e9\u30b0\u30e1\u30f3\u30c8\u51e6\u7406\u306e\u9818\u57df\u306b\u3082\u5e83\u304c\u308b\u3053\u3068\u3092\u793a\u3057\u305f\u4e8b\u4f8b\u3067\u3042\u308b\u3002<\/p>\n\n\n\n\n\n\n\n\n\n\n\n
\u89b3\u70b9<\/th>\nCopy Fail<\/th>\nDirty Frag<\/th>\n\u3053\u306e\u9055\u3044\u304c\u610f\u5473\u3059\u308b\u3053\u3068<\/th>\n<\/tr>\n<\/thead>\n
\u4e3b\u306a\u5165\u53e3<\/td>\nAF_ALG\u3001algif_aead\u3001AEAD socket interface \u304c\u5165\u53e3\u306b\u306a\u308b\u3002<\/td>\nxfrm-ESP \u3068 RxRPC \u304c\u5165\u53e3\u306b\u306a\u308b\u3002<\/td>\n\u540c\u3058 page cache write \u7cfb\u5217\u3067\u3082\u3001\u653b\u6483\u9762\u306f crypto API \u306b\u9589\u3058\u306a\u3044\u3002<\/td>\n<\/tr>\n
\u51e6\u7406\u9818\u57df<\/td>\nuser space \u304b\u3089 kernel crypto API \u3092\u547c\u3073\u51fa\u3059\u7d4c\u8def\u304c\u4e2d\u5fc3\u306b\u306a\u308b\u3002<\/td>\nnetworking\u3001ESP\u3001RxRPC\u3001fragment handling \u306e\u7d4c\u8def\u304c\u4e2d\u5fc3\u306b\u306a\u308b\u3002<\/td>\n\u554f\u984c\u306f\u6697\u53f7\u51e6\u7406\u56fa\u6709\u3067\u306f\u306a\u304f\u3001\u8907\u6570\u30b5\u30d6\u30b7\u30b9\u30c6\u30e0\u3092\u6a2a\u65ad\u3059\u308b page \u53c2\u7167\u306e\u6271\u3044\u306b\u3042\u308b\u3002<\/td>\n<\/tr>\n
\u5185\u90e8\u8868\u73fe<\/td>\nscatterlist \u3092\u901a\u3058\u3066\u3001\u5165\u529b page \u3068\u51fa\u529b\u5148\u306e\u610f\u5473\u304c\u6df7\u3056\u308a\u5f97\u308b\u3002<\/td>\nskb frag \u3084 shared frag \u3092\u901a\u3058\u3066\u3001\u5171\u6709 page \u304c\u5f8c\u6bb5\u51e6\u7406\u306b\u6e21\u308a\u5f97\u308b\u3002<\/td>\n\u8868\u73fe\u5f62\u5f0f\u306f\u9055\u3063\u3066\u3082\u3001page \u306e\u7531\u6765\u3001\u5171\u6709\u6027\u3001\u66f8\u304d\u8fbc\u307f\u53ef\u5426\u3092\u5931\u3046\u5371\u967a\u306f\u5171\u901a\u3059\u308b\u3002<\/td>\n<\/tr>\n
\u5371\u967a\u306e\u898b\u3048\u65b9<\/td>\ncrypto API \u306e in-place \u51e6\u7406\u306e\u554f\u984c\u3068\u3057\u3066\u898b\u3048\u3084\u3059\u3044\u3002<\/td>\nnetworking \u3068 fragment handling \u306e\u554f\u984c\u3068\u3057\u3066\u898b\u3048\u3084\u3059\u3044\u3002<\/td>\n\u898b\u3048\u65b9\u3060\u3051\u3067\u5206\u985e\u3059\u308b\u3068\u5225\u4ef6\u306b\u898b\u3048\u308b\u304c\u3001\u62bd\u8c61\u5316\u3059\u308c\u3070\u540c\u3058\u4e0d\u5909\u6761\u4ef6\u9055\u53cd\u3068\u3057\u3066\u8aad\u3081\u308b\u3002<\/td>\n<\/tr>\n
\u66ab\u5b9a\u5bfe\u7b56<\/td>\nalgif_aead \u306e\u7121\u52b9\u5316\u304c\u4e00\u6642\u7684\u306a\u56de\u907f\u7b56\u306b\u306a\u308b\u3002<\/td>\nesp4\u3001esp6\u3001rxrpc \u306e\u7121\u52b9\u5316\u304c\u4e00\u6642\u7684\u306a\u56de\u907f\u7b56\u306b\u306a\u308b\u3002<\/td>\n\u7121\u52b9\u5316\u5bfe\u8c61\u306f\u5909\u308f\u308b\u305f\u3081\u3001\u66ab\u5b9a\u5bfe\u7b56\u3092\u6839\u672c\u539f\u7406\u3068\u53d6\u308a\u9055\u3048\u3066\u306f\u306a\u3089\u306a\u3044\u3002<\/td>\n<\/tr>\n
\u6a5f\u80fd\u5f71\u97ff<\/td>\nuser space \u304b\u3089 kernel crypto API \u3092\u5229\u7528\u3059\u308b\u51e6\u7406\u306b\u5f71\u97ff\u3057\u5f97\u308b\u3002<\/td>\nIPsec ESP\u3001AFS\u3001RxRPC \u306a\u3069\u3092\u4f7f\u3046\u74b0\u5883\u306b\u5f71\u97ff\u3057\u5f97\u308b\u3002<\/td>\n\u7de9\u548c\u7b56\u306f\u5e38\u306b\u74b0\u5883\u4f9d\u5b58\u3067\u3042\u308a\u3001\u5229\u7528\u4e2d\u306e\u6a5f\u80fd\u3068\u306e\u885d\u7a81\u3092\u78ba\u8a8d\u3059\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002<\/td>\n<\/tr>\n
\u6839\u672c\u5bfe\u7b56<\/td>\n\u8106\u5f31\u306a in-place \u51e6\u7406\u7d4c\u8def\u304c\u4fee\u6b63\u3055\u308c\u305f kernel \u306b\u66f4\u65b0\u3057\u3001\u305d\u306e kernel \u3067\u518d\u8d77\u52d5\u3059\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002<\/td>\n\u5171\u6709 frag \u306b\u5bfe\u3059\u308b\u4e0d\u9069\u5207\u306a in-place \u51e6\u7406\u304c\u4fee\u6b63\u3055\u308c\u305f kernel \u306b\u66f4\u65b0\u3057\u3001\u305d\u306e kernel \u3067\u518d\u8d77\u52d5\u3059\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002<\/td>\n\u5165\u53e3\u304c\u9055\u3063\u3066\u3082\u3001\u6700\u7d42\u7684\u306a\u5bfe\u7b56\u306f\u4fee\u6b63\u6e08\u307f kernel \u3078\u306e\u79fb\u884c\u3068\u518d\u8d77\u52d5\u3067\u4e00\u81f4\u3059\u308b\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u3053\u306e\u76f8\u9055\u70b9\u306f\u91cd\u8981\u3067\u3042\u308b\u3002Copy Fail \u3092 crypto API \u306e\u554f\u984c\u3068\u3057\u3066\u3060\u3051\u898b\u308c\u3070\u3001AF_ALG\u3001algif_aead\u3001AEAD\u3001scatterlist \u3092\u8abf\u3079\u308c\u3070\u3088\u3044\u3088\u3046\u306b\u898b\u3048\u308b\u3002Dirty Frag \u3092 networking \u306e\u554f\u984c\u3068\u3057\u3066\u3060\u3051\u898b\u308c\u3070\u3001xfrm-ESP\u3001RxRPC\u3001skb frag\u3001shared frag \u3092\u8abf\u3079\u308c\u3070\u3088\u3044\u3088\u3046\u306b\u898b\u3048\u308b\u3002\u3057\u304b\u3057\u3001\u305d\u306e\u3088\u3046\u306b\u500b\u5225\u9818\u57df\u3078\u9589\u3058\u8fbc\u3081\u308b\u3068\u3001\u4e21\u8005\u3092\u8cab\u304f\u5371\u967a\u3092\u898b\u843d\u3068\u3059\u3002\u91cd\u8981\u306a\u306e\u306f\u3001\u3069\u306e\u30b5\u30d6\u30b7\u30b9\u30c6\u30e0\u3067\u8d77\u304d\u305f\u304b\u3067\u306f\u306a\u304f\u3001file-backed shared page \u304c copy \u3055\u308c\u305a\u306b\u6e21\u3055\u308c\u3001\u305d\u306e\u5f8c\u6bb5\u3067\u5165\u529b\u5c02\u7528\u3068\u3044\u3046\u610f\u5473\u3092\u5931\u3044\u3001\u51fa\u529b\u5148\u307e\u305f\u306f\u4f5c\u696d\u9818\u57df\u3068\u3057\u3066\u6271\u308f\u308c\u308b\u304b\u3069\u3046\u304b\u3067\u3042\u308b\u3002<\/p>\n

\u3057\u305f\u304c\u3063\u3066\u3001\u76f8\u9055\u70b9\u306f\u672c\u8cea\u3092\u5426\u5b9a\u3059\u308b\u3082\u306e\u3067\u306f\u306a\u304f\u3001\u672c\u8cea\u3092\u898b\u3064\u3051\u308b\u305f\u3081\u306e\u624b\u304c\u304b\u308a\u3067\u3042\u308b\u3002Copy Fail \u3068 Dirty Frag \u306f\u5165\u53e3\u304c\u9055\u3046\u304b\u3089\u5225\u7269\u3067\u3042\u308b\u3001\u3068\u3044\u3046\u7406\u89e3\u306f\u534a\u5206\u3060\u3051\u6b63\u3057\u3044\u3002\u78ba\u304b\u306b CVE\u3001\u5bfe\u8c61\u30e2\u30b8\u30e5\u30fc\u30eb\u3001\u66ab\u5b9a\u5bfe\u7b56\u3001\u6a5f\u80fd\u5f71\u97ff\u306f\u7570\u306a\u308b\u3002\u3057\u304b\u3057\u3001\u5165\u53e3\u304c\u9055\u3063\u3066\u3082\u540c\u3058\u7a2e\u985e\u306e\u610f\u5473\u55aa\u5931\u304c\u6210\u7acb\u3059\u308b\u306a\u3089\u3001\u3088\u308a\u6df1\u3044\u5c64\u3067\u306f\u540c\u3058 bug class \u3068\u3057\u3066\u6271\u3046\u5fc5\u8981\u304c\u3042\u308b\u3002\u3053\u3053\u3067\u898b\u308b\u3079\u304d\u306a\u306e\u306f\u3001\u500b\u5225\u30e2\u30b8\u30e5\u30fc\u30eb\u540d\u3067\u306f\u306a\u304f\u3001\u4e0a\u4f4d\u30ec\u30a4\u30e4\u30fc\u306e\u300c\u8aad\u3081\u308b\u304c\u66f8\u3051\u306a\u3044\u300d\u300c\u5165\u529b\u3067\u3042\u308b\u300d\u300c\u5171\u6709 page cache \u3067\u3042\u308b\u300d\u3068\u3044\u3046\u610f\u5473\u304c\u3001\u4e0b\u4f4d\u30ec\u30a4\u30e4\u30fc\u306e\u8868\u73fe\u5909\u63db\u3068 in-place \u51e6\u7406\u3067\u4fdd\u5b58\u3055\u308c\u3066\u3044\u308b\u304b\u3069\u3046\u304b\u3067\u3042\u308b\u3002<\/p>\n

\u3053\u306e\u610f\u5473\u3067\u3001Copy Fail \u3068 Dirty Frag \u306e\u76f8\u9055\u70b9\u306f\u3001\u6559\u8a13\u3092\u72ed\u3081\u308b\u305f\u3081\u3067\u306f\u306a\u304f\u3001\u5e83\u3052\u308b\u305f\u3081\u306b\u91cd\u8981\u3067\u3042\u308b\u3002Copy Fail \u306f\u3001\u6697\u53f7 API \u5074\u3067\u610f\u5473\u4fdd\u5b58\u304c\u58ca\u308c\u308b\u3068 LPE \u306b\u306a\u308b\u3053\u3068\u3092\u793a\u3057\u305f\u3002Dirty Frag \u306f\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u51e6\u7406\u5074\u3067\u3082\u540c\u3058\u7a2e\u985e\u306e\u610f\u5473\u4fdd\u5b58\u304c\u58ca\u308c\u5f97\u308b\u3053\u3068\u3092\u793a\u3057\u305f\u3002\u4e21\u8005\u3092\u6bd4\u8f03\u3059\u308b\u3053\u3068\u3067\u3001\u554f\u984c\u304c algif_aead \u306e\u4e8b\u6545\u3067\u3082\u3001xfrm-ESP \u3084 RxRPC \u306e\u4e8b\u6545\u3067\u3082\u306a\u304f\u3001zero-copy\u3001page \u53c2\u7167\u3001fragment \u8868\u73fe\u3001in-place \u51e6\u7406\u304c\u4ea4\u5dee\u3059\u308b\u5834\u6240\u306b\u5171\u901a\u3059\u308b\u8a2d\u8a08\u4e0a\u306e\u5371\u967a\u3067\u3042\u308b\u3053\u3068\u304c\u898b\u3048\u3066\u304f\u308b\u3002<\/p>\n

\n

7. skb frag \u3068 scatterlist \u306f\u610f\u5473\u3092\u8584\u3081\u308b\u62bd\u8c61\u3067\u3042\u308b<\/h2>\n

Dirty Frag \u3068 Copy Fail \u3092\u540c\u3058\u7cfb\u5217\u3068\u3057\u3066\u7406\u89e3\u3059\u308b\u306b\u306f\u3001skb frag \u3068 scatterlist \u3092\u5358\u306a\u308b\u5b9f\u88c5\u8a73\u7d30\u3068\u3057\u3066\u6271\u3063\u3066\u306f\u306a\u3089\u306a\u3044\u3002Linux networking APIs \u306e\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u306b\u306f\u3001buffer \u304c page cache pages \u3092 inline \u306b\u542b\u3080\u5834\u5408\u306b\u5b89\u5168\u3067\u306a\u3044\u64cd\u4f5c\u304c\u3042\u308b\u3053\u3068\u304c\u793a\u3055\u308c\u3066\u3044\u308b[23]<\/a>\u3002\u3053\u306e\u7a2e\u306e\u8a18\u8ff0\u306f\u3001\u4eca\u56de\u306e\u554f\u984c\u3092\u7406\u89e3\u3059\u308b\u3046\u3048\u3067\u91cd\u8981\u3067\u3042\u308b\u3002page cache page \u306f\u3001\u30d5\u30a1\u30a4\u30eb\u30b7\u30b9\u30c6\u30e0\u6587\u8108\u3067\u306f\u30d5\u30a1\u30a4\u30eb\u5185\u5bb9\u306e cache \u3067\u3042\u308b\u3002\u3057\u304b\u3057\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u51e6\u7406\u306e\u6587\u8108\u3067\u306f fragment\u3001payload\u3001buffer \u3068\u3057\u3066\u898b\u3048\u3001\u6697\u53f7\u51e6\u7406\u306e\u6587\u8108\u3067\u306f scatterlist entry \u3084\u5909\u63db\u5bfe\u8c61\u3068\u3057\u3066\u898b\u3048\u308b\u3002\u3053\u306e\u6587\u8108\u306e\u5207\u308a\u66ff\u308f\u308a\u3053\u305d\u304c\u3001\u610f\u5473\u5883\u754c\u3092\u8584\u3081\u308b\u3002<\/p>\n

scatterlist \u3082 skb frag \u3082\u3001\u305d\u308c\u81ea\u4f53\u304c\u5371\u967a\u306a\u4ed5\u7d44\u307f\u3067\u306f\u306a\u3044\u3002\u3080\u3057\u308d\u3001\u30b3\u30d4\u30fc\u3092\u6e1b\u3089\u3057\u3001I\/O \u3092\u52b9\u7387\u5316\u3057\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3084\u6697\u53f7\u51e6\u7406\u3092\u9ad8\u6027\u80fd\u5316\u3059\u308b\u305f\u3081\u306e\u6b63\u5f53\u306a\u62bd\u8c61\u3067\u3042\u308b\u3002scatterlist \u306f\u3001\u9023\u7d9a\u3057\u3066\u3044\u306a\u3044\u8907\u6570\u306e\u30e1\u30e2\u30ea\u9818\u57df\u3092\u51e6\u7406\u5bfe\u8c61\u3068\u3057\u3066\u307e\u3068\u3081\u308b\u305f\u3081\u306b\u4f7f\u308f\u308c\u308b\u3002skb frag \u306f\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af packet \u306e\u4e00\u90e8\u3092 page fragment \u3068\u3057\u3066\u6271\u3044\u3001\u4f59\u5206\u306a\u30b3\u30d4\u30fc\u3092\u907f\u3051\u308b\u305f\u3081\u306b\u4f7f\u308f\u308c\u308b\u3002\u3069\u3061\u3089\u3082\u3001\u30ab\u30fc\u30cd\u30eb\u5185\u90e8\u3067\u5927\u91cf\u306e\u30c7\u30fc\u30bf\u3092\u52b9\u7387\u3088\u304f\u6271\u3046\u305f\u3081\u306b\u306f\u5fc5\u8981\u306a\u4ed5\u7d44\u307f\u3067\u3042\u308b\u3002<\/p>\n

\u3057\u304b\u3057\u3001\u62bd\u8c61\u5316\u306f\u60c5\u5831\u3092\u843d\u3068\u3059\u3002\u3042\u308b page \u304c file-backed \u3067\u3042\u308b\u3053\u3068\u3001shared page cache \u3067\u3042\u308b\u3053\u3068\u3001\u8aad\u307f\u53d6\u308a\u5c02\u7528\u30d5\u30a1\u30a4\u30eb\u7531\u6765\u3067\u3042\u308b\u3053\u3068\u3001\u5165\u529b\u3068\u3057\u3066\u6e21\u3055\u308c\u305f\u3053\u3068\u3001\u5f8c\u3067 root \u6587\u8108\u3067\u8aad\u307e\u308c\u5f97\u308b\u3053\u3068\u306f\u3001\u30d5\u30a1\u30a4\u30eb\u30b7\u30b9\u30c6\u30e0\u3084\u30e1\u30e2\u30ea\u7ba1\u7406\u306e\u6587\u8108\u3067\u306f\u91cd\u8981\u306a\u610f\u5473\u3092\u6301\u3064\u3002\u3068\u3053\u308d\u304c\u3001scatterlist entry \u3084 skb frag \u3068\u3057\u3066\u6271\u308f\u308c\u308b\u3068\u3001\u305d\u308c\u306f\u5358\u306a\u308b\u51e6\u7406\u5bfe\u8c61\u306e\u65ad\u7247\u3068\u3057\u3066\u898b\u3048\u3084\u3059\u304f\u306a\u308b\u3002\u3053\u3053\u3067\u610f\u5473\u304c\u843d\u3061\u308b\u3068\u3001\u52b9\u7387\u5316\u306e\u305f\u3081\u306e\u62bd\u8c61\u304c\u5b89\u5168\u5883\u754c\u3092\u58ca\u3059\u3002<\/p>\n\n\n\n\n\n\n\n\n\n
\u62bd\u8c61<\/th>\n\u672c\u6765\u306e\u5f79\u5272<\/th>\n\u8584\u307e\u308a\u3084\u3059\u3044\u610f\u5473<\/th>\n\u5371\u967a\u306b\u306a\u308b\u6761\u4ef6<\/th>\n<\/tr>\n<\/thead>\n
page cache<\/td>\n\u30d5\u30a1\u30a4\u30eb\u5185\u5bb9\u3092\u30e1\u30e2\u30ea\u4e0a\u306b\u4fdd\u6301\u3057\u3001\u8aad\u307f\u53d6\u308a\u3084\u5b9f\u884c\u3092\u9ad8\u901f\u5316\u3059\u308b\u3002<\/td>\nfile-backed \u3067\u3042\u308b\u3053\u3068\u3001\u30c7\u30a3\u30b9\u30af\u4e0a\u306e\u30d5\u30a1\u30a4\u30eb\u5185\u5bb9\u3068\u5bfe\u5fdc\u3057\u3066\u3044\u308b\u3053\u3068\u3001\u5171\u6709\u3055\u308c\u5f97\u308b\u3053\u3068\u3002<\/td>\n\u8aad\u307f\u53d6\u308a\u5c02\u7528\u7531\u6765\u306e page cache \u304c\u3001\u5f8c\u6bb5\u3067\u66f8\u304d\u8fbc\u307f\u53ef\u80fd\u306a\u4f5c\u696d\u9818\u57df\u3068\u3057\u3066\u6271\u308f\u308c\u308b\u3068\u5371\u967a\u306b\u306a\u308b\u3002<\/td>\n<\/tr>\n
scatterlist<\/td>\n\u8907\u6570\u306e\u975e\u9023\u7d9a\u30e1\u30e2\u30ea\u9818\u57df\u3092\u3001\u6697\u53f7\u51e6\u7406\u3084 I\/O \u51e6\u7406\u306e\u5bfe\u8c61\u3068\u3057\u3066\u307e\u3068\u3081\u308b\u3002<\/td>\n\u5404 page \u306e\u7531\u6765\u3001\u66f8\u304d\u8fbc\u307f\u53ef\u5426\u3001\u5165\u529b\u3068\u51fa\u529b\u306e\u533a\u5225\u3001\u5171\u6709\u6027\u3002<\/td>\n\u5165\u529b page \u304c writable destination \u3068\u3057\u3066\u6271\u308f\u308c\u3001\u8aad\u307f\u53d6\u308a\u5c02\u7528 page cache \u304c\u66f8\u304d\u63db\u3048\u3089\u308c\u308b\u3068\u5371\u967a\u306b\u306a\u308b\u3002<\/td>\n<\/tr>\n
skb frag<\/td>\n\u30cd\u30c3\u30c8\u30ef\u30fc\u30af packet \u306e\u4e00\u90e8\u3092 page fragment \u3068\u3057\u3066\u4fdd\u6301\u3057\u3001\u4f59\u5206\u306a copy \u3092\u907f\u3051\u308b\u3002<\/td>\npage \u304c pipe \u7531\u6765\u304b\u3001shared \u304b\u3001private copy \u304c\u5fc5\u8981\u304b\u3068\u3044\u3046\u610f\u5473\u3002<\/td>\nshared frag \u3067\u3042\u308b\u3053\u3068\u304c\u5f8c\u6bb5\u306b\u4f1d\u308f\u3089\u305a\u3001ESP \u306a\u3069\u304c in-place \u51e6\u7406\u3059\u308b\u3068\u5371\u967a\u306b\u306a\u308b\u3002<\/td>\n<\/tr>\n
zero-copy<\/td>\nbyte \u5217\u3092\u30b3\u30d4\u30fc\u305b\u305a\u3001page \u53c2\u7167\u3092\u6e21\u3059\u3053\u3068\u3067\u6027\u80fd\u3092\u4e0a\u3052\u308b\u3002<\/td>\n\u53c2\u7167\u5148 page \u306e ownership\u3001writability\u3001sharing\u3001lifetime\u3002<\/td>\ncopy \u3092\u7701\u7565\u3057\u305f\u7d50\u679c\u3001\u66f8\u304d\u63db\u3048\u3066\u306f\u306a\u3089\u306a\u3044 page \u304c\u5225\u30b5\u30d6\u30b7\u30b9\u30c6\u30e0\u306e\u51fa\u529b\u5148\u306b\u306a\u308b\u3068\u5371\u967a\u306b\u306a\u308b\u3002<\/td>\n<\/tr>\n
in-place \u51e6\u7406<\/td>\n\u5165\u529b buffer \u3068\u51fa\u529b buffer \u3092\u540c\u3058\u9818\u57df\u306b\u3057\u3066\u3001\u30e1\u30e2\u30ea\u4f7f\u7528\u91cf\u3084 copy \u3092\u6e1b\u3089\u3059\u3002<\/td>\n\u5165\u529b\u5c02\u7528\u3067\u3042\u308b\u3053\u3068\u3001\u8aad\u307f\u53d6\u308a\u5c02\u7528\u7531\u6765\u3067\u3042\u308b\u3053\u3068\u3001\u51fa\u529b\u3057\u3066\u3088\u3044\u9818\u57df\u304b\u3069\u3046\u304b\u3002<\/td>\n\u5165\u529b\u3068\u3057\u3066\u6e21\u3055\u308c\u305f file-backed shared page \u3092\u3001\u305d\u306e\u307e\u307e\u51fa\u529b\u5148\u3068\u3057\u3066\u66f8\u304d\u63db\u3048\u308b\u3068\u5371\u967a\u306b\u306a\u308b\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u3053\u306e\u8868\u304b\u3089\u5206\u304b\u308b\u3088\u3046\u306b\u3001\u554f\u984c\u306f scatterlist \u3084 skb frag \u306e\u5b58\u5728\u305d\u306e\u3082\u306e\u3067\u306f\u306a\u3044\u3002\u554f\u984c\u306f\u3001\u305d\u308c\u3089\u306e\u62bd\u8c61\u304c page \u306e\u610f\u5473\u3092\u5341\u5206\u306b\u904b\u3079\u306a\u3044\u307e\u307e\u3001\u5f8c\u6bb5\u51e6\u7406\u306b\u6e21\u3055\u308c\u308b\u3053\u3068\u3067\u3042\u308b\u3002\u30ab\u30fc\u30cd\u30eb\u5185\u90e8\u3067\u306f\u3001\u51e6\u7406\u5bfe\u8c61\u3092 page pointer\u3001fragment\u3001entry\u3001payload \u3068\u3057\u3066\u6271\u3046\u5fc5\u8981\u304c\u3042\u308b\u3002\u3057\u304b\u3057\u3001\u305d\u306e page \u304c\u3069\u3053\u304b\u3089\u6765\u305f\u306e\u304b\u3001\u8ab0\u304c\u66f8\u3051\u308b\u306e\u304b\u3001\u5171\u6709\u3055\u308c\u3066\u3044\u308b\u306e\u304b\u3001\u5165\u529b\u306a\u306e\u304b\u51fa\u529b\u306a\u306e\u304b\u3068\u3044\u3046\u610f\u5473\u304c\u6d88\u3048\u308b\u3068\u3001\u51e6\u7406\u52b9\u7387\u3092\u4e0a\u3052\u308b\u305f\u3081\u306e\u62bd\u8c61\u304c\u3001\u6a29\u9650\u5883\u754c\u3092\u8fc2\u56de\u3059\u308b\u7d4c\u8def\u306b\u306a\u308b\u3002<\/p>\n

LWN \u3067\u7d39\u4ecb\u3055\u308c\u305f AF_ALG \u306e zero-copy support removal \u306f\u3001\u3053\u306e\u5371\u967a\u3092\u3088\u304f\u793a\u3057\u3066\u3044\u308b\u3002\u305d\u3053\u3067\u306f\u3001AF_ALG \u306f\u3082\u3068\u3082\u3068 hardware crypto accelerators \u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u610f\u56f3\u3057\u3066\u3044\u305f\u304c\u3001\u5b9f\u969b\u306b\u306f\u52b9\u7387\u7684\u306a interface \u3067\u3082\u306a\u304f\u3001zero-copy support \u306e risk \u304c benefits \u3092\u5927\u304d\u304f\u4e0a\u56de\u308b\u3068\u3057\u3066\u3001splice syscall \u306f\u30b5\u30dd\u30fc\u30c8\u3057\u3064\u3064\u3082 data \u306f copy \u3055\u308c\u308b\u3088\u3046\u306b\u3059\u308b\u65b9\u91dd\u304c\u793a\u3055\u308c\u3066\u3044\u308b[24]<\/a>\u3002\u3053\u308c\u306f\u3001\u6027\u80fd\u6700\u9069\u5316\u304c\u610f\u5473\u4fdd\u5b58\u3092\u7834\u308b\u306a\u3089\u3001\u6700\u9069\u5316\u305d\u306e\u3082\u306e\u3092\u6368\u3066\u308b\u5224\u65ad\u3067\u3042\u308b\u3002\u3064\u307e\u308a\u3001copy \u3092\u6e1b\u3089\u3059\u3053\u3068\u306f\u5e38\u306b\u5584\u3067\u306f\u306a\u3044\u3002copy \u3092\u7701\u7565\u3059\u308b\u3053\u3068\u3067\u3001page \u306e\u7531\u6765\u3001\u5171\u6709\u6027\u3001\u66f8\u304d\u8fbc\u307f\u53ef\u5426\u3001\u5165\u529b\u3068\u51fa\u529b\u306e\u533a\u5225\u304c\u4fdd\u5b58\u3067\u304d\u306a\u304f\u306a\u308b\u306a\u3089\u3001\u305d\u306e zero-copy \u306f\u5b89\u5168\u6027\u3088\u308a\u3082\u5371\u967a\u3092\u5897\u3084\u3059\u3002<\/p>\n

\u3057\u305f\u304c\u3063\u3066\u3001skb frag \u3068 scatterlist \u306f\u3001\u6027\u80fd\u306e\u305f\u3081\u306b\u610f\u5473\u3092\u5727\u7e2e\u3059\u308b\u62bd\u8c61\u3060\u3068\u8a00\u3048\u308b\u3002\u62bd\u8c61\u306f\u3001\u6271\u3046\u60c5\u5831\u3092\u6e1b\u3089\u3059\u3053\u3068\u3067\u51e6\u7406\u3092\u5358\u7d14\u5316\u3057\u3001\u9ad8\u901f\u5316\u3059\u308b\u3002\u3057\u304b\u3057\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u4e0a\u5fc5\u8981\u306a\u610f\u5473\u307e\u3067\u6e1b\u3089\u3057\u3066\u3057\u307e\u3046\u3068\u3001\u4e0a\u4f4d\u30ec\u30a4\u30e4\u30fc\u3067\u6210\u7acb\u3057\u3066\u3044\u305f\u5b89\u5168\u6027\u304c\u4e0b\u4f4d\u30ec\u30a4\u30e4\u30fc\u3067\u6d88\u3048\u308b\u3002Copy Fail \u3067\u306f scatterlist \u304c\u305d\u306e\u5834\u6240\u306b\u306a\u308a\u3001Dirty Frag \u3067\u306f skb frag \u304c\u305d\u306e\u5834\u6240\u306b\u306a\u3063\u305f\u3002\u4e21\u8005\u306e\u6bd4\u8f03\u304b\u3089\u898b\u3048\u308b\u306e\u306f\u3001\u5371\u967a\u306a\u62bd\u8c61\u3068\u306f\u3001\u5358\u306b\u4f4e\u30ec\u30d9\u30eb\u306a\u8868\u73fe\u306e\u3053\u3068\u3067\u306f\u306a\u304f\u3001\u5b89\u5168\u6027\u306b\u5fc5\u8981\u306a\u610f\u5473\u3092\u904b\u3070\u306a\u3044\u307e\u307e\u9ad8\u6027\u80fd\u5316\u3092\u5b9f\u73fe\u3057\u3066\u3057\u307e\u3046\u8868\u73fe\u306e\u3053\u3068\u3067\u3042\u308b\u3002<\/p>\n

\n

8. \u66ab\u5b9a\u5bfe\u7b56\u306f\u30e2\u30b8\u30e5\u30fc\u30eb\u540d\u306b\u4f9d\u5b58\u3059\u308b<\/h2>\n

Dirty Frag \u306e\u66ab\u5b9a\u5bfe\u7b56\u306f\u3001Copy Fail \u306e\u66ab\u5b9a\u5bfe\u7b56\u3068\u306f\u7570\u306a\u308b\u3002Ubuntu \u516c\u5f0f\u306f\u3001Dirty Frag \u306e mitigation \u3068\u3057\u3066 esp4\u3001esp6\u3001rxrpc \u3092\u7121\u52b9\u5316\u3059\u308b\u65b9\u6cd5\u3092\u793a\u3057\u3066\u3044\u308b[8]<\/a>\u3002Sysdig \u3082\u3001Dirty Frag \u306f IPsec encryption \/ ESP \u3068 RxRPC \u304c\u53d7\u4fe1\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30c7\u30fc\u30bf\u3092 fresh buffer \u306b\u30b3\u30d4\u30fc\u305b\u305a\u3001in-place \u306b decrypt \u3059\u308b\u6700\u9069\u5316\u306b\u95a2\u4fc2\u3059\u308b\u3068\u8aac\u660e\u3057\u3066\u3044\u308b[25]<\/a>\u3002\u3057\u305f\u304c\u3063\u3066\u3001Dirty Frag \u3067\u585e\u3050\u3079\u304d\u5165\u53e3\u306f\u3001Copy Fail \u3067\u554f\u984c\u306b\u306a\u3063\u305f algif_aead \u3067\u306f\u306a\u3044\u3002Copy Fail \u3067\u306f algif_aead \u304c\u66ab\u5b9a\u5bfe\u7b56\u306e\u7126\u70b9\u306b\u306a\u308a\u3001Dirty Frag \u3067\u306f esp4\u3001esp6\u3001rxrpc \u304c\u7126\u70b9\u306b\u306a\u308b\u3002<\/p>\n

\u3053\u3053\u3067\u91cd\u8981\u306a\u306e\u306f\u3001\u30e2\u30b8\u30e5\u30fc\u30eb\u540d\u306e\u9055\u3044\u3092\u305d\u306e\u307e\u307e\u672c\u8cea\u3068\u898b\u306a\u3055\u306a\u3044\u3053\u3068\u3067\u3042\u308b\u3002\u66ab\u5b9a\u5bfe\u7b56\u306f\u5e38\u306b\u3001\u305d\u306e\u6642\u70b9\u3067\u898b\u3048\u3066\u3044\u308b\u653b\u6483\u5165\u53e3\u3092\u585e\u3050\u64cd\u4f5c\u3067\u3042\u308b\u3002Copy Fail \u3067\u306f\u3001AF_ALG \/ algif_aead \/ AEAD socket interface \u3092\u901a\u308b\u7d4c\u8def\u304c\u554f\u984c\u306b\u306a\u3063\u305f\u305f\u3081\u3001algif_aead \u306e\u7121\u52b9\u5316\u304c\u610f\u5473\u3092\u6301\u3063\u305f\u3002Dirty Frag \u3067\u306f\u3001xfrm-ESP \u3068 RxRPC \u3092\u901a\u308b\u7d4c\u8def\u304c\u554f\u984c\u306b\u306a\u308b\u305f\u3081\u3001esp4\u3001esp6\u3001rxrpc \u306e\u7121\u52b9\u5316\u304c\u610f\u5473\u3092\u6301\u3064\u3002\u3064\u307e\u308a\u3001\u66ab\u5b9a\u5bfe\u7b56\u306f\u8106\u5f31\u6027\u30af\u30e9\u30b9\u305d\u306e\u3082\u306e\u3092\u4fee\u6b63\u3059\u308b\u306e\u3067\u306f\u306a\u304f\u3001\u65e2\u77e5\u306e\u5230\u9054\u7d4c\u8def\u3092\u4e00\u6642\u7684\u306b\u9589\u3058\u3066\u3044\u308b\u306b\u3059\u304e\u306a\u3044\u3002<\/p>\n\n\n\n\n\n\n\n\n\n
\u5bfe\u5fdc\u306e\u7a2e\u985e<\/th>\nCopy Fail \u3067\u306e\u5bfe\u8c61<\/th>\nDirty Frag \u3067\u306e\u5bfe\u8c61<\/th>\n\u610f\u5473<\/th>\n<\/tr>\n<\/thead>\n
\u66ab\u5b9a\u7684\u306a\u5165\u53e3\u5c01\u9396<\/td>\nalgif_aead \u3092\u7121\u52b9\u5316\u3059\u308b\u3002<\/td>\nesp4\u3001esp6\u3001rxrpc \u3092\u7121\u52b9\u5316\u3059\u308b\u3002<\/td>\n\u305d\u306e\u6642\u70b9\u3067\u77e5\u3089\u308c\u3066\u3044\u308b exploit \u7d4c\u8def\u3092\u901a\u308a\u306b\u304f\u304f\u3059\u308b\u305f\u3081\u306e\u6642\u9593\u7a3c\u304e\u3067\u3042\u308b\u3002<\/td>\n<\/tr>\n
\u30ed\u30fc\u30c9\u6e08\u307f\u30e2\u30b8\u30e5\u30fc\u30eb\u306e\u9664\u53bb<\/td>\n\u5bfe\u8c61\u30e2\u30b8\u30e5\u30fc\u30eb\u304c\u4f7f\u7528\u4e2d\u3067\u306a\u3051\u308c\u3070 unload \u3067\u304d\u308b\u53ef\u80fd\u6027\u304c\u3042\u308b\u3002<\/td>\nesp4\u3001esp6\u3001rxrpc \u304c\u4f7f\u7528\u4e2d\u3067\u306a\u3051\u308c\u3070 rmmod \u3067\u304d\u308b\u53ef\u80fd\u6027\u304c\u3042\u308b\u3002<\/td>\n\u3059\u3067\u306b kernel \u306b\u5165\u3063\u3066\u3044\u308b\u5371\u967a\u306a\u5165\u53e3\u3092\u4e00\u6642\u7684\u306b\u6d88\u3059\u64cd\u4f5c\u3067\u3042\u308b\u3002<\/td>\n<\/tr>\n
\u6a5f\u80fd\u5f71\u97ff<\/td>\nuser space \u304b\u3089 kernel crypto API \u3092\u4f7f\u3046\u51e6\u7406\u306b\u5f71\u97ff\u3057\u5f97\u308b\u3002<\/td>\nIPsec ESP\u3001AFS\u3001RxRPC \u3092\u4f7f\u3046\u74b0\u5883\u306b\u5f71\u97ff\u3057\u5f97\u308b\u3002<\/td>\n\u66ab\u5b9a\u5bfe\u7b56\u306f\u5b89\u5168\u5074\u306e\u5358\u7d14\u64cd\u4f5c\u3067\u306f\u306a\u304f\u3001\u5229\u7528\u4e2d\u306e\u6a5f\u80fd\u3092\u58ca\u3059\u53ef\u80fd\u6027\u304c\u3042\u308b\u3002<\/td>\n<\/tr>\n
cache \u6c5a\u67d3\u3078\u306e\u7dca\u6025\u51e6\u7f6e<\/td>\npage cache \u6c5a\u67d3\u304c\u7591\u308f\u308c\u308b\u5834\u5408\u3001drop_caches \u3084 reboot \u304c\u5fc5\u8981\u306b\u306a\u308b\u3002<\/td>\npage cache \u6c5a\u67d3\u304c\u7591\u308f\u308c\u308b\u5834\u5408\u3001drop_caches \u3084 reboot \u304c\u5fc5\u8981\u306b\u306a\u308b\u3002<\/td>\n\u3053\u308c\u306f\u8106\u5f31\u6027\u4fee\u6b63\u3067\u306f\u306a\u304f\u3001\u6c5a\u67d3\u6e08\u307f\u306e\u5b9f\u884c\u6642\u72b6\u614b\u3092\u6d88\u3059\u305f\u3081\u306e\u51e6\u7f6e\u3067\u3042\u308b\u3002<\/td>\n<\/tr>\n
\u6839\u672c\u5bfe\u7b56<\/td>\n\u8106\u5f31\u306a in-place \u51e6\u7406\u7d4c\u8def\u304c\u4fee\u6b63\u3055\u308c\u305f kernel \u306b\u66f4\u65b0\u3057\u3001\u305d\u306e kernel \u3067\u518d\u8d77\u52d5\u3059\u308b\u3002<\/td>\n\u5171\u6709 frag \u3084 RxRPC \u5074\u306e\u554f\u984c\u304c\u4fee\u6b63\u3055\u308c\u305f kernel \u306b\u66f4\u65b0\u3057\u3001\u305d\u306e kernel \u3067\u518d\u8d77\u52d5\u3059\u308b\u3002<\/td>\n\u6839\u672c\u5bfe\u7b56\u306f\u30e2\u30b8\u30e5\u30fc\u30eb\u540d\u3067\u306f\u306a\u304f\u3001\u8106\u5f31\u306a\u51e6\u7406\u7d4c\u8def\u305d\u306e\u3082\u306e\u306e\u4fee\u6b63\u3067\u3042\u308b\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u3053\u306e\u8868\u304b\u3089\u5206\u304b\u308b\u3088\u3046\u306b\u3001\u66ab\u5b9a\u5bfe\u7b56\u306f\u30e2\u30b8\u30e5\u30fc\u30eb\u540d\u306b\u4f9d\u5b58\u3059\u308b\u3002\u5165\u53e3\u304c algif_aead \u306a\u3089 algif_aead \u3092\u6b62\u3081\u308b\u3002\u5165\u53e3\u304c esp4\u3001esp6\u3001rxrpc \u306a\u3089\u3001\u305d\u308c\u3089\u3092\u6b62\u3081\u308b\u3002\u5165\u53e3\u304c\u5225\u306e\u30b5\u30d6\u30b7\u30b9\u30c6\u30e0\u306b\u5e83\u304c\u308c\u3070\u3001\u66ab\u5b9a\u5bfe\u7b56\u306e\u5bfe\u8c61\u3082\u3055\u3089\u306b\u5909\u308f\u308b\u3002\u3057\u305f\u304c\u3063\u3066\u3001\u66ab\u5b9a\u5bfe\u7b56\u306e\u540d\u524d\u3092\u4e0d\u5909\u306e\u6559\u8a13\u3068\u3057\u3066\u6271\u3063\u3066\u306f\u306a\u3089\u306a\u3044\u3002Copy Fail \u306e\u6559\u8a13\u3092 algif_aead \u7121\u52b9\u5316\u306b\u7e2e\u6e1b\u3059\u308b\u3068\u3001Dirty Frag \u306b\u306f\u5bfe\u5fdc\u3067\u304d\u306a\u3044\u3002\u540c\u3058\u3088\u3046\u306b\u3001Dirty Frag \u306e\u6559\u8a13\u3092 esp4\u3001esp6\u3001rxrpc \u7121\u52b9\u5316\u306b\u7e2e\u6e1b\u3059\u308b\u3068\u3001\u5c06\u6765\u5225\u306e\u5165\u53e3\u304b\u3089\u540c\u3058 bug class \u304c\u73fe\u308c\u305f\u3068\u304d\u306b\u5bfe\u5fdc\u3067\u304d\u306a\u3044\u3002<\/p>\n

\u4e00\u65b9\u3001\u6839\u672c\u5bfe\u7b56\u306f\u5909\u308f\u3089\u306a\u3044\u3002\u8106\u5f31\u306a\u51e6\u7406\u7d4c\u8def\u305d\u306e\u3082\u306e\u304c\u4fee\u6b63\u3055\u308c\u305f kernel \u306b\u66f4\u65b0\u3057\u3001\u305d\u306e kernel \u3067\u518d\u8d77\u52d5\u3059\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002module blacklist\u3001rmmod\u3001drop_caches \u306f\u3001\u305d\u308c\u305e\u308c\u610f\u5473\u304c\u7570\u306a\u308b\u3002module blacklist \u306f\u3001\u6b21\u56de\u4ee5\u964d\u305d\u306e\u5165\u53e3\u3092\u30ed\u30fc\u30c9\u3055\u305b\u306a\u3044\u305f\u3081\u306e\u6291\u6b62\u3067\u3042\u308b\u3002rmmod \u306f\u3001\u3059\u3067\u306b\u30ed\u30fc\u30c9\u6e08\u307f\u306e\u5165\u53e3\u3092\u53d6\u308a\u9664\u304f\u305f\u3081\u306e\u64cd\u4f5c\u3067\u3042\u308b\u3002drop_caches \u306f\u3001\u6c5a\u67d3\u3055\u308c\u305f\u53ef\u80fd\u6027\u306e\u3042\u308b page cache \u3092\u6368\u3066\u308b\u305f\u3081\u306e\u7dca\u6025\u51e6\u7f6e\u3067\u3042\u308b\u3002reboot \u306f\u3001\u4fee\u6b63\u6e08\u307f kernel \u3078\u306e\u5207\u308a\u66ff\u3048\u3068\u3001\u5b9f\u884c\u6642\u72b6\u614b\u306e\u521d\u671f\u5316\u3092\u517c\u306d\u308b\u3002\u3053\u308c\u3089\u306f\u3069\u308c\u3082\u91cd\u8981\u3060\u304c\u3001\u8106\u5f31\u6027\u30af\u30e9\u30b9\u305d\u306e\u3082\u306e\u3092\u4fee\u6b63\u3059\u308b\u3082\u306e\u3067\u306f\u306a\u3044\u3002<\/p>\n

\u3057\u305f\u304c\u3063\u3066\u3001Dirty Frag \u306e\u66ab\u5b9a\u5bfe\u7b56\u3092\u7406\u89e3\u3059\u308b\u3068\u304d\u306b\u306f\u3001\u30e2\u30b8\u30e5\u30fc\u30eb\u540d\u3068\u539f\u7406\u3092\u5206\u3051\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002esp4\u3001esp6\u3001rxrpc \u3092\u6b62\u3081\u308b\u3053\u3068\u306f\u3001Dirty Frag \u3068\u3044\u3046\u65e2\u77e5\u306e\u5165\u53e3\u306b\u5bfe\u3059\u308b\u5b9f\u52d9\u7684\u306a\u9632\u5fa1\u3067\u3042\u308b\u3002\u3057\u304b\u3057\u3001\u672c\u7a3f\u3067\u8ffd\u3063\u3066\u3044\u308b\u4e0d\u5909\u539f\u7406\u306f\u305d\u3053\u3067\u306f\u306a\u3044\u3002\u4e0d\u5909\u539f\u7406\u306f\u3001\u8aad\u307f\u53d6\u308a\u5c02\u7528\u7531\u6765\u306e page cache \u3092\u3001\u610f\u5473\u3092\u4fdd\u6301\u3057\u306a\u3044\u307e\u307e\u5225\u30b5\u30d6\u30b7\u30b9\u30c6\u30e0\u3078\u6e21\u3057\u3001\u51fa\u529b\u5148\u307e\u305f\u306f\u4f5c\u696d\u9818\u57df\u3068\u3057\u3066\u6271\u3063\u3066\u306f\u306a\u3089\u306a\u3044\u3001\u3068\u3044\u3046\u70b9\u306b\u3042\u308b\u3002\u66ab\u5b9a\u5bfe\u7b56\u306f\u5165\u53e3\u3092\u585e\u3050\u3002\u6839\u672c\u5bfe\u7b56\u306f\u58ca\u308c\u305f\u610f\u5473\u4fdd\u5b58\u306e\u7d4c\u8def\u3092\u4fee\u6b63\u3059\u308b\u3002\u3053\u306e\u4e8c\u3064\u3092\u6df7\u540c\u3057\u3066\u306f\u306a\u3089\u306a\u3044\u3002<\/p>\n

\n

9. \u6a2a\u5c55\u958b\u3067\u5fc3\u914d\u3059\u3079\u304d\u3082\u306e<\/h2>\n

Dirty Frag \u3092\u5358\u72ec\u306e CVE \u3068\u3057\u3066\u9589\u3058\u308b\u3068\u3001\u8abf\u67fb\u5bfe\u8c61\u306f xfrm-ESP \u3068 RxRPC \u306b\u9650\u5b9a\u3055\u308c\u308b\u3002\u3057\u304b\u3057\u3001Copy Fail \u3068\u4e26\u3079\u3066\u8aad\u3080\u306a\u3089\u3001\u305d\u3053\u3067\u6b62\u3081\u308b\u3079\u304d\u3067\u306f\u306a\u3044\u3002Wiz \u306f Dirty Frag \u3092\u3001xfrm-ESP \u3068 RxRPC \u306e 2 \u3064\u306e page-cache write primitives \u3092\u7d44\u307f\u5408\u308f\u305b\u308b vulnerability chain \u3068\u3057\u3066\u8aac\u660e\u3057\u3001race-condition-based exploits \u3068\u306f\u7570\u306a\u308b deterministic \u3067 highly reliable \u306a bug class \u3068\u3057\u3066\u6574\u7406\u3057\u3066\u3044\u308b[26]<\/a>\u3002\u3053\u3053\u3067\u91cd\u8981\u306a\u306e\u306f\u3001Dirty Frag \u304c\u5358\u306a\u308b\u500b\u5225\u5b9f\u88c5\u30df\u30b9\u3067\u306f\u306a\u304f\u3001\u540c\u3058\u69cb\u9020\u304c\u5225\u306e\u51e6\u7406\u7d4c\u8def\u306b\u3082\u73fe\u308c\u5f97\u308b bug class \u3068\u3057\u3066\u8aad\u3081\u308b\u70b9\u3067\u3042\u308b\u3002<\/p>\n

\u6a2a\u5c55\u958b\u3067\u898b\u308b\u3079\u304d\u306a\u306e\u306f\u3001\u56fa\u6709\u540d\u8a5e\u3067\u306f\u306a\u3044\u3002algif_aead\u3001xfrm-ESP\u3001RxRPC\u3001skb frag \u3068\u3044\u3046\u540d\u524d\u306f\u3001\u3042\u304f\u307e\u3067\u4eca\u56de\u89b3\u6e2c\u3055\u308c\u305f\u5165\u53e3\u3067\u3042\u308b\u3002\u3088\u308a\u91cd\u8981\u306a\u306e\u306f\u3001\u540c\u3058\u4e0d\u5909\u6761\u4ef6\u9055\u53cd\u304c\u8d77\u304d\u308b\u5834\u6240\u3067\u3042\u308b\u3002\u3059\u306a\u308f\u3061\u3001\u8aad\u307f\u53d6\u308a\u5c02\u7528\u7531\u6765\u306e page cache \u30da\u30fc\u30b8\u304c\u3001copy \u3055\u308c\u305a\u306b\u5225\u30b5\u30d6\u30b7\u30b9\u30c6\u30e0\u3078\u6e21\u3055\u308c\u3001\u305d\u306e\u5148\u3067 in-place \u306b\u66f8\u304d\u63db\u3048\u3089\u308c\u308b\u53ef\u80fd\u6027\u304c\u3042\u308b\u5834\u6240\u3067\u3042\u308b\u3002\u3053\u306e\u6761\u4ef6\u3092\u6e80\u305f\u3059\u306a\u3089\u3001\u5165\u53e3\u304c\u6697\u53f7 API \u3067\u3042\u3063\u3066\u3082\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u51e6\u7406\u3067\u3042\u3063\u3066\u3082\u3001\u30d5\u30a1\u30a4\u30eb\u30b7\u30b9\u30c6\u30e0\u3067\u3042\u3063\u3066\u3082\u3001\u540c\u3058\u7a2e\u985e\u306e\u5b9f\u884c\u6642\u610f\u5473\u6c5a\u67d3\u306b\u3064\u306a\u304c\u308a\u5f97\u308b\u3002<\/p>\n

\u3053\u306e\u6a2a\u5c55\u958b\u6761\u4ef6\u306f\u3001\u6027\u80fd\u6700\u9069\u5316\u304c\u96c6\u4e2d\u3059\u308b\u5834\u6240\u306b\u73fe\u308c\u3084\u3059\u3044\u3002copy \u3092\u6e1b\u3089\u3059\u3001page \u53c2\u7167\u3092\u518d\u5229\u7528\u3059\u308b\u3001\u8907\u6570\u306e fragment \u3092\u307e\u3068\u3081\u3066\u6271\u3046\u3001\u5165\u529b\u3068\u51fa\u529b\u3092\u540c\u3058 buffer \u306b\u3059\u308b\u3001\u975e\u540c\u671f\u306b I\/O \u3092\u9032\u3081\u308b\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3068\u30d5\u30a1\u30a4\u30eb\u30b7\u30b9\u30c6\u30e0\u3092\u307e\u305f\u3050\u3001\u3068\u3044\u3063\u305f\u8a2d\u8a08\u306f\u3001\u3044\u305a\u308c\u3082\u6b63\u5f53\u306a\u6700\u9069\u5316\u3067\u3042\u308b\u3002\u3057\u304b\u3057\u3001\u305d\u308c\u3089\u306f\u540c\u6642\u306b\u3001page \u306e\u7531\u6765\u3001\u5171\u6709\u6027\u3001\u66f8\u304d\u8fbc\u307f\u53ef\u5426\u3001\u5165\u529b\u3068\u51fa\u529b\u306e\u533a\u5225\u3001\u547c\u3073\u51fa\u3057\u5143\u306e\u6a29\u9650\u3001\u5f8c\u7d9a\u306e\u5b9f\u884c\u6587\u8108\u3092\u8584\u3081\u308b\u3002\u3057\u305f\u304c\u3063\u3066\u3001\u6a2a\u5c55\u958b\u3067\u5fc3\u914d\u3059\u3079\u304d\u306a\u306e\u306f\u3001\u5358\u306b\u300c\u4f3c\u305f\u30e2\u30b8\u30e5\u30fc\u30eb\u300d\u3067\u306f\u306a\u304f\u3001\u300c\u610f\u5473\u3092\u4fdd\u6301\u3057\u306a\u3044\u307e\u307e page \u53c2\u7167\u3092\u904b\u3076\u7d4c\u8def\u300d\u3067\u3042\u308b\u3002<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\u8abf\u67fb\u5bfe\u8c61<\/th>\n\u5fc3\u914d\u3059\u308b\u7406\u7531<\/th>\n\u78ba\u8a8d\u3059\u3079\u304d\u89b3\u70b9<\/th>\n<\/tr>\n<\/thead>\n
zero-copy API<\/td>\ncopy \u3092\u7701\u7565\u3057\u3001byte \u5217\u3067\u306f\u306a\u304f page \u53c2\u7167\u3092\u5225\u30b5\u30d6\u30b7\u30b9\u30c6\u30e0\u3078\u6e21\u3059\u3002<\/td>\n\u6e21\u3055\u308c\u305f page \u306e provenance\u3001writability\u3001sharing \u304c\u5f8c\u6bb5\u3067\u3082\u4fdd\u6301\u3055\u308c\u3066\u3044\u308b\u304b\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/td>\n<\/tr>\n
splice \/ sendfile \/ vmsplice<\/td>\nfile-backed page cache \u304c\u3001pipe \u3084\u5225 I\/O \u7d4c\u8def\u3092\u901a\u3058\u3066\u79fb\u52d5\u3057\u5f97\u308b\u3002<\/td>\n\u8aad\u307f\u53d6\u308a\u5c02\u7528\u30d5\u30a1\u30a4\u30eb\u7531\u6765\u306e page \u304c\u3001\u5f8c\u6bb5\u3067\u51fa\u529b\u5148\u307e\u305f\u306f\u4f5c\u696d\u9818\u57df\u3068\u3057\u3066\u6271\u308f\u308c\u306a\u3044\u304b\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/td>\n<\/tr>\n
pipe buffer<\/td>\n\u30d5\u30a1\u30a4\u30eb\u7531\u6765\u306e page \u304c\u3001\u30d5\u30a1\u30a4\u30eb\u30b7\u30b9\u30c6\u30e0\u6587\u8108\u3092\u96e2\u308c\u3066\u4e00\u6642\u7684\u306a buffer \u3068\u3057\u3066\u6271\u308f\u308c\u308b\u3002<\/td>\npipe \u306b\u5165\u3063\u305f page \u304c shared page cache \u3067\u3042\u308b\u3053\u3068\u3092\u5f8c\u6bb5\u51e6\u7406\u304c\u8b58\u5225\u3067\u304d\u308b\u304b\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/td>\n<\/tr>\n
scatterlist<\/td>\n\u8907\u6570\u306e\u30e1\u30e2\u30ea\u9818\u57df\u3092\u307e\u3068\u3081\u308b\u904e\u7a0b\u3067\u3001\u5165\u529b page \u3068\u51fa\u529b page \u306e\u610f\u5473\u304c\u6df7\u3056\u308a\u3084\u3059\u3044\u3002<\/td>\nsource \u3068 destination \u304c\u540c\u3058 page \u306b\u306a\u3089\u306a\u3044\u304b\u3001read-only page \u304c writable destination \u306b\u5165\u3089\u306a\u3044\u304b\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/td>\n<\/tr>\n
skb frag \/ shared frag<\/td>\n\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u51e6\u7406\u304c page fragment \u3092\u76f4\u63a5\u6271\u3044\u3001copy \u305b\u305a\u5f8c\u6bb5\u3078\u6e21\u3059\u3002<\/td>\nshared frag \u3067\u3042\u308b\u3053\u3068\u304c\u4fdd\u6301\u3055\u308c\u3001private copy \u304c\u5fc5\u8981\u306a\u5834\u9762\u3067 in-place \u51e6\u7406\u306b\u9032\u307e\u306a\u3044\u304b\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/td>\n<\/tr>\n
iov_iter<\/td>\n\u8907\u6570\u7a2e\u306e I\/O buffer \u3092\u62bd\u8c61\u5316\u3057\u3001user buffer\u3001kernel buffer\u3001pipe\u3001page \u306a\u3069\u3092\u7d71\u4e00\u7684\u306b\u6271\u3046\u3002<\/td>\n\u62bd\u8c61\u5316\u306b\u3088\u3063\u3066 buffer \u306e\u7531\u6765\u3001\u66f8\u304d\u8fbc\u307f\u53ef\u5426\u3001\u5bff\u547d\u304c\u5931\u308f\u308c\u306a\u3044\u304b\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/td>\n<\/tr>\n
in-place crypto<\/td>\n\u5165\u529b buffer \u3092\u51fa\u529b buffer \u3068\u3057\u3066\u518d\u5229\u7528\u3057\u3001copy \u3068\u30e1\u30e2\u30ea\u4f7f\u7528\u91cf\u3092\u6e1b\u3089\u3059\u3002<\/td>\n\u5165\u529b page \u304c file-backed read-only shared page \u3067\u3042\u308b\u5834\u5408\u306b out-of-place \u51e6\u7406\u3078\u9000\u907f\u3067\u304d\u308b\u304b\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/td>\n<\/tr>\n
compression \/ decompression<\/td>\n\u5165\u529b\u3068\u51fa\u529b\u306e\u95a2\u4fc2\u304c\u5909\u63db\u51e6\u7406\u3067\u8907\u96d1\u306b\u306a\u308a\u3001\u4f5c\u696d\u9818\u57df\u3078\u306e\u66f8\u304d\u8fbc\u307f\u304c\u767a\u751f\u3057\u3084\u3059\u3044\u3002<\/td>\n\u5165\u529b\u5c02\u7528 page \u304c\u5909\u63db\u5f8c\u306e\u51fa\u529b\u5148\u3084 scratch buffer \u3068\u3057\u3066\u6271\u308f\u308c\u306a\u3044\u304b\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/td>\n<\/tr>\n
tunnel \/ encapsulation<\/td>\npayload \u3092\u5225\u5f62\u5f0f\u3078\u5305\u307f\u76f4\u3059\u904e\u7a0b\u3067\u3001networking\u3001crypto\u3001fragment handling \u304c\u4ea4\u5dee\u3059\u308b\u3002<\/td>\nencapsulation \/ decapsulation \u306e\u9014\u4e2d\u3067 shared page \u306e\u610f\u5473\u304c\u5931\u308f\u308c\u306a\u3044\u304b\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/td>\n<\/tr>\n
RxRPC \/ AFS<\/td>\n\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3001\u30d5\u30a1\u30a4\u30eb\u30a2\u30af\u30bb\u30b9\u3001\u30e1\u30e2\u30ea\u7ba1\u7406\u304c\u4ea4\u5dee\u3057\u3001page \u306e\u610f\u5473\u304c\u8907\u6570\u6587\u8108\u3092\u307e\u305f\u3050\u3002<\/td>\n\u30cd\u30c3\u30c8\u30ef\u30fc\u30af payload \u3068 file-backed data \u306e\u5883\u754c\u3067\u3001page \u306e\u6240\u6709\u6a29\u3068\u66f8\u304d\u8fbc\u307f\u53ef\u5426\u304c\u4fdd\u5b58\u3055\u308c\u3066\u3044\u308b\u304b\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/td>\n<\/tr>\n
overlayfs \/ FUSE<\/td>\n\u4e0a\u4f4d\u30d5\u30a1\u30a4\u30eb\u30b7\u30b9\u30c6\u30e0\u306e\u610f\u5473\u3068\u4e0b\u4f4d\u5b9f\u4f53\u306e\u610f\u5473\u304c\u305a\u308c\u3084\u3059\u3044\u3002<\/td>\n\u4e0a\u4f4d\u3067 read-only \u306b\u898b\u3048\u308b\u5bfe\u8c61\u304c\u3001\u4e0b\u4f4d\u306e buffer \u3084 page \u3068\u3057\u3066\u5225\u306e\u6a29\u9650\u610f\u5473\u3092\u6301\u305f\u306a\u3044\u304b\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/td>\n<\/tr>\n
io_uring \/ async I\/O<\/td>\n\u975e\u540c\u671f\u51e6\u7406\u306b\u3088\u308a\u3001buffer lifetime\u3001authority\u3001completion context \u304c\u8907\u96d1\u5316\u3057\u3084\u3059\u3044\u3002<\/td>\nsubmit \u6642\u70b9\u3068 completion \u6642\u70b9\u3067\u3001buffer \u306e\u6240\u6709\u8005\u3001\u5bff\u547d\u3001\u66f8\u304d\u8fbc\u307f\u6a29\u9650\u304c\u5909\u5316\u3057\u3066\u3044\u306a\u3044\u304b\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u3053\u306e\u4e00\u89a7\u306f\u3001Dirty Frag \u3068\u540c\u3058 CVE \u3092\u63a2\u3059\u305f\u3081\u306e\u3082\u306e\u3067\u306f\u306a\u3044\u3002\u540c\u3058\u4e0d\u5909\u6761\u4ef6\u9055\u53cd\u3092\u63a2\u3059\u305f\u3081\u306e\u3082\u306e\u3067\u3042\u308b\u3002\u91cd\u8981\u306a\u306e\u306f\u3001read-only file-backed page \u304c\u95a2\u4e0e\u3059\u308b\u304b\u3001copy \u3055\u308c\u305a\u306b\u79fb\u52d5\u3059\u308b\u304b\u3001\u5f8c\u6bb5\u3067 in-place \u51e6\u7406\u3055\u308c\u308b\u304b\u3001\u9ad8\u6a29\u9650\u6587\u8108\u3067\u518d\u5229\u7528\u3055\u308c\u308b\u304b\u3067\u3042\u308b\u3002\u3053\u308c\u3089\u306e\u6761\u4ef6\u304c\u91cd\u306a\u308b\u307b\u3069\u3001Copy Fail \/ Dirty Frag \u578b\u306e page cache write bug class \u3068\u3057\u3066\u7591\u3046\u512a\u5148\u5ea6\u306f\u9ad8\u304f\u306a\u308b\u3002<\/p>\n

\u305f\u3060\u3057\u3001\u3053\u306e\u6761\u4ef6\u306f Linux kernel LPE \u5168\u4f53\u306e\u5fc5\u8981\u5341\u5206\u6761\u4ef6\u3067\u306f\u306a\u3044\u3002\u4eca\u56de\u306e\u6761\u4ef6\u306b\u5f53\u3066\u306f\u307e\u3089\u306a\u3044\u304b\u3089\u5b89\u5168\u3068\u306f\u8a00\u3048\u306a\u3044\u3002use-after-free\u3001out-of-bounds write\u3001refcount bug\u3001type confusion\u3001namespace escape\u3001capability bypass\u3001eBPF verifier bug\u3001filesystem logic bug \u306a\u3069\u306f\u3001page cache \u6c5a\u67d3\u3068\u306f\u5225\u306e\u7d4c\u8def\u3067 LPE \u306b\u306a\u308a\u5f97\u308b\u3002\u3057\u305f\u304c\u3063\u3066\u3001\u3053\u3053\u3067\u8ff0\u3079\u3066\u3044\u308b\u306e\u306f\u300cLinux kernel security \u5168\u4f53\u3067\u5fc3\u914d\u3059\u3079\u304d\u3082\u306e\u300d\u3067\u306f\u306a\u304f\u3001\u300cCopy Fail \/ Dirty Frag \u3068\u540c\u3058 page cache write bug class \u3092\u6a2a\u5c55\u958b\u3059\u308b\u3068\u304d\u306b\u6700\u512a\u5148\u3067\u5fc3\u914d\u3059\u3079\u304d\u3082\u306e\u300d\u3067\u3042\u308b\u3002<\/p>\n

\u3053\u306e\u9650\u5b9a\u306f\u91cd\u8981\u3067\u3042\u308b\u3002\u6a2a\u5c55\u958b\u8abf\u67fb\u3067\u306f\u3001\u5bfe\u8c61\u3092\u5e83\u3052\u3059\u304e\u308b\u3068\u3059\u3079\u3066\u304c\u5371\u967a\u306b\u898b\u3048\u3066\u3057\u307e\u3046\u3002\u4e00\u65b9\u3001\u5bfe\u8c61\u3092\u72ed\u3081\u3059\u304e\u308b\u3068\u3001algif_aead\u3001xfrm-ESP\u3001RxRPC \u306e\u3088\u3046\u306a\u65e2\u77e5\u5165\u53e3\u3060\u3051\u3092\u898b\u3066\u7d42\u308f\u3063\u3066\u3057\u307e\u3046\u3002\u5fc5\u8981\u306a\u306e\u306f\u3001\u56fa\u6709\u540d\u8a5e\u3067\u306f\u306a\u304f\u69cb\u9020\u6761\u4ef6\u3067\u7bc4\u56f2\u3092\u5207\u308b\u3053\u3068\u3067\u3042\u308b\u3002\u3059\u306a\u308f\u3061\u3001copy \u3055\u308c\u305a\u306b page \u53c2\u7167\u304c\u79fb\u52d5\u3057\u3001\u5f8c\u6bb5\u3067\u5165\u529b\u3068\u51fa\u529b\u306e\u610f\u5473\u304c\u6df7\u3056\u308a\u3001read-only file-backed shared page \u306e\u610f\u5473\u304c\u4fdd\u5b58\u3055\u308c\u306a\u3044\u5834\u6240\u3092\u3001\u540c\u3058 bug class \u306e\u5019\u88dc\u3068\u3057\u3066\u8abf\u3079\u308b\u3002\u3053\u306e\u898b\u65b9\u306b\u3088\u3063\u3066\u3001\u500b\u5225 CVE \u306e\u8ffd\u8de1\u3067\u306f\u306a\u304f\u3001\u4e0d\u5909\u6761\u4ef6\u306e\u7834\u308c\u3092\u57fa\u6e96\u306b\u3057\u305f\u8abf\u67fb\u304c\u53ef\u80fd\u306b\u306a\u308b\u3002<\/p>\n

\n

10. \u5bfe\u8c61\u5916\u306f\u5b89\u5168\u3068\u540c\u7fa9\u3067\u306f\u306a\u3044<\/h2>\n

\u6a2a\u5c55\u958b\u8abf\u67fb\u3067\u306f\u3001\u5bfe\u8c61\u3092\u5e83\u3052\u308b\u3060\u3051\u3067\u306a\u304f\u3001\u5bfe\u8c61\u5916\u3082\u5b9a\u7fa9\u3059\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002\u305f\u3060\u3057\u3001\u3053\u3053\u3067\u3044\u3046\u5bfe\u8c61\u5916\u3068\u306f\u3001\u5371\u967a\u304c\u306a\u3044\u3068\u3044\u3046\u610f\u5473\u3067\u306f\u306a\u3044\u3002\u4eca\u56de\u306e page cache write bug class\u3001\u3059\u306a\u308f\u3061\u8aad\u307f\u53d6\u308a\u5c02\u7528\u7531\u6765\u306e file-backed page \u304c copy \u3055\u308c\u305a\u306b\u5225\u30b5\u30d6\u30b7\u30b9\u30c6\u30e0\u3078\u6e21\u3055\u308c\u3001\u5f8c\u6bb5\u3067 in-place \u306b\u66f8\u304d\u63db\u3048\u3089\u308c\u308b\u7cfb\u5217\u3068\u3057\u3066\u306f\u512a\u5148\u5ea6\u304c\u4f4e\u3044\u3001\u3068\u3044\u3046\u610f\u5473\u3067\u3042\u308b\u3002\u3053\u306e\u533a\u5225\u3092\u3057\u306a\u3044\u3068\u3001copy \u3057\u3066\u3044\u308b\u304b\u3089\u5b89\u5168\u3001page cache \u3068\u7121\u95a2\u4fc2\u3060\u304b\u3089\u5b89\u5168\u3001root \u6a29\u9650\u3067\u3057\u304b\u547c\u3079\u306a\u3044\u304b\u3089\u5b89\u5168\u3001\u3068\u3044\u3046\u7c97\u3044\u8aa4\u89e3\u304c\u751f\u307e\u308c\u308b\u3002<\/p>\n

\u4eca\u56de\u306e\u7cfb\u5217\u3068\u3057\u3066\u512a\u5148\u5ea6\u304c\u4e0b\u304c\u308b\u306e\u306f\u3001\u5e38\u306b private anonymous buffer \u3060\u3051\u3092\u6271\u3046\u51e6\u7406\u3001\u5165\u529b\u3092\u5fc5\u305a kernel-private buffer \u306b copy \u3059\u308b\u51e6\u7406\u3001in-place \u5909\u63db\u3092\u3057\u306a\u3044\u51e6\u7406\u3001read-only file-backed page \u3092\u53d7\u3051\u53d6\u308c\u306a\u3044 API\u3001root \u6a29\u9650\u3067\u3057\u304b\u547c\u3079\u306a\u3044\u7d4c\u8def\u3001setuid \u3084 root \u5b9f\u884c\u7d4c\u8def\u306b\u5230\u9054\u3057\u306a\u3044\u4e00\u6642\u30c7\u30fc\u30bf\u306a\u3069\u3067\u3042\u308b\u3002\u3053\u308c\u3089\u306f\u3001Copy Fail \/ Dirty Frag \u578b\u306e\u5b9f\u884c\u6642\u610f\u5473\u6c5a\u67d3\u306b\u76f4\u7d50\u3057\u306b\u304f\u3044\u3002\u306a\u305c\u306a\u3089\u3001\u8aad\u307f\u53d6\u308a\u5c02\u7528 file-backed page \u304c\u5171\u6709\u3055\u308c\u305f\u307e\u307e\u5f8c\u6bb5\u306e\u51fa\u529b\u5148\u306b\u306a\u308b\u3068\u3044\u3046\u4e2d\u5fc3\u6761\u4ef6\u3092\u6e80\u305f\u3057\u306b\u304f\u3044\u304b\u3089\u3067\u3042\u308b\u3002<\/p>\n\n\n\n\n\n\n\n\n\n\n
\u4eca\u56de\u306e\u7cfb\u5217\u3068\u3057\u3066\u512a\u5148\u5ea6\u304c\u4f4e\u3044\u3082\u306e<\/th>\n\u512a\u5148\u5ea6\u304c\u4e0b\u304c\u308b\u7406\u7531<\/th>\n\u305d\u308c\u3067\u3082\u6b8b\u308b\u5225\u7a2e\u306e\u30ea\u30b9\u30af<\/th>\n<\/tr>\n<\/thead>\n
private anonymous buffer \u3060\u3051\u3092\u6271\u3046\u51e6\u7406<\/td>\nfile-backed page cache \u3092\u76f4\u63a5\u6c5a\u67d3\u3057\u306b\u304f\u3044\u3002<\/td>\n\u30b5\u30a4\u30ba\u8a08\u7b97\u3092\u8aa4\u308c\u3070 out-of-bounds write \u306b\u306a\u308a\u5f97\u308b\u3002<\/td>\n<\/tr>\n
\u5fc5\u305a kernel-private buffer \u306b copy \u3059\u308b\u51e6\u7406<\/td>\nread-only file-backed page \u304c destination \u306b\u306a\u308a\u306b\u304f\u3044\u3002<\/td>\ncopy \u5148\u306e lifetime\u3001\u5883\u754c\u3001\u521d\u671f\u5316\u3001\u6240\u6709\u6a29\u7ba1\u7406\u3092\u8aa4\u308c\u3070\u5225\u7a2e\u306e kernel bug \u306b\u306a\u308a\u5f97\u308b\u3002<\/td>\n<\/tr>\n
in-place \u5909\u63db\u3092\u3057\u306a\u3044\u51e6\u7406<\/td>\n\u5165\u529b page \u3092\u51fa\u529b\u5148\u3068\u3057\u3066\u66f8\u304d\u63db\u3048\u306b\u304f\u3044\u3002<\/td>\nout-of-place \u3067\u3082\u51fa\u529b\u5148 buffer \u306e\u30b5\u30a4\u30ba\u3084\u6a29\u9650\u3092\u8aa4\u308c\u3070\u30e1\u30e2\u30ea\u7834\u58ca\u3084\u60c5\u5831\u6f0f\u3048\u3044\u306b\u306a\u308a\u5f97\u308b\u3002<\/td>\n<\/tr>\n
read-only file-backed page \u3092\u53d7\u3051\u53d6\u308c\u306a\u3044 API<\/td>\n\u4eca\u56de\u306e page cache \u6c5a\u67d3\u6761\u4ef6\u3092\u6e80\u305f\u3057\u306b\u304f\u3044\u3002<\/td>\nuser buffer\u3001kernel buffer\u3001device buffer \u306e\u6271\u3044\u3092\u8aa4\u308c\u3070\u5225\u306e\u6a29\u9650\u5883\u754c\u304c\u7834\u308c\u308b\u53ef\u80fd\u6027\u304c\u3042\u308b\u3002<\/td>\n<\/tr>\n
root \u6a29\u9650\u3067\u3057\u304b\u547c\u3079\u306a\u3044\u7d4c\u8def<\/td>\nunprivileged LPE \u3068\u3057\u3066\u306f\u6210\u7acb\u3057\u306b\u304f\u3044\u3002<\/td>\ncapability check\u3001namespace \u5883\u754c\u3001\u6a29\u9650\u5224\u5b9a\u304c\u8aa4\u3063\u3066\u3044\u308c\u3070\u4f4e\u6a29\u9650\u304b\u3089\u5230\u9054\u3067\u304d\u308b\u53ef\u80fd\u6027\u304c\u3042\u308b\u3002<\/td>\n<\/tr>\n
setuid \u3084 root \u5b9f\u884c\u7d4c\u8def\u306b\u5230\u9054\u3057\u306a\u3044\u4e00\u6642\u30c7\u30fc\u30bf<\/td>\npage cache \u3092\u6c5a\u67d3\u3057\u3066\u3082 LPE \u3078\u306e\u63a5\u7d9a\u304c\u5f31\u3044\u3002<\/td>\n\u6a5f\u5bc6\u60c5\u5831\u3001\u8a8d\u8a3c token\u3001\u8a2d\u5b9a\u5024\u3001\u5f8c\u7d9a\u51e6\u7406\u306e\u5165\u529b\u306b\u5f71\u97ff\u3059\u308b\u306a\u3089\u3001LPE \u4ee5\u5916\u306e\u88ab\u5bb3\u306b\u3064\u306a\u304c\u308a\u5f97\u308b\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u3053\u306e\u8868\u3067\u91cd\u8981\u306a\u306e\u306f\u3001\u5bfe\u8c61\u5916\u3092\u5b89\u5168\u5ba3\u8a00\u3068\u3057\u3066\u6271\u3063\u3066\u3044\u306a\u3044\u70b9\u3067\u3042\u308b\u3002private anonymous buffer \u3060\u3051\u3092\u6271\u3046\u51e6\u7406\u306f\u3001Dirty Frag \u578b\u306e page cache \u6c5a\u67d3\u306b\u306f\u3064\u306a\u304c\u308a\u306b\u304f\u3044\u3002\u3057\u304b\u3057\u3001buffer boundary \u3092\u8aa4\u308c\u3070 out-of-bounds write \u306b\u306a\u308b\u3002\u5fc5\u305a copy \u3057\u3066\u3044\u308b\u51e6\u7406\u306f\u3001read-only page \u3092 destination \u306b\u3059\u308b\u5371\u967a\u306f\u4e0b\u304c\u308b\u3002\u3057\u304b\u3057\u3001copy \u5148\u306e lifetime \u7ba1\u7406\u3092\u8aa4\u308c\u3070 use-after-free \u306b\u306a\u308b\u3002in-place \u51e6\u7406\u3092\u3057\u306a\u3044\u5834\u5408\u3067\u3082\u3001\u51fa\u529b\u5148 buffer \u306e\u30b5\u30a4\u30ba\u3001\u521d\u671f\u5316\u3001\u6a29\u9650\u3001\u6240\u6709\u6a29\u3092\u8aa4\u308c\u3070\u5225\u306e\u8106\u5f31\u6027\u306b\u306a\u308b\u3002<\/p>\n

\u3057\u305f\u304c\u3063\u3066\u3001\u6a2a\u5c55\u958b\u8abf\u67fb\u3067\u306f\u4e8c\u3064\u306e\u5c64\u3092\u5206\u3051\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002\u7b2c\u4e00\u306e\u5c64\u306f\u3001Copy Fail \/ Dirty Frag \u578b\u306e page cache write bug class \u3068\u3057\u3066\u7591\u3046\u304b\u3069\u3046\u304b\u3067\u3042\u308b\u3002\u3053\u306e\u5c64\u3067\u306f\u3001read-only file-backed page\u3001zero-copy\u3001fragment \u8868\u73fe\u3001in-place \u51e6\u7406\u3001\u9ad8\u6a29\u9650\u6587\u8108\u3067\u306e\u518d\u5229\u7528\u304c\u4e2d\u5fc3\u6761\u4ef6\u306b\u306a\u308b\u3002\u7b2c\u4e8c\u306e\u5c64\u306f\u3001Linux kernel security \u5168\u4f53\u3068\u3057\u3066\u5371\u967a\u304b\u3069\u3046\u304b\u3067\u3042\u308b\u3002\u3053\u306e\u5c64\u3067\u306f\u3001use-after-free\u3001out-of-bounds write\u3001refcount bug\u3001type confusion\u3001race\u3001namespace escape\u3001capability bypass\u3001eBPF verifier bug\u3001filesystem logic bug \u306a\u3069\u3082\u5bfe\u8c61\u306b\u306a\u308b\u3002<\/p>\n

\u3053\u306e\u533a\u5225\u3092\u3057\u306a\u3044\u3068\u3001\u8b70\u8ad6\u306f\u4e8c\u3064\u306e\u65b9\u5411\u306b\u5d29\u308c\u308b\u3002\u4e00\u65b9\u3067\u306f\u3001\u5bfe\u8c61\u3092\u5e83\u3052\u3059\u304e\u3066\u3001\u3059\u3079\u3066\u306e kernel subsystem \u304c\u540c\u3058\u7a0b\u5ea6\u306b\u5371\u967a\u306b\u898b\u3048\u3066\u3057\u307e\u3046\u3002\u4ed6\u65b9\u3067\u306f\u3001\u5bfe\u8c61\u3092\u72ed\u3081\u3059\u304e\u3066\u3001\u4eca\u56de\u306e\u6761\u4ef6\u306b\u5f53\u3066\u306f\u307e\u3089\u306a\u3044\u3082\u306e\u3092\u5b89\u5168\u3060\u3068\u8aa4\u89e3\u3057\u3066\u3057\u307e\u3046\u3002\u5fc5\u8981\u306a\u306e\u306f\u3001\u5371\u967a\u3092\u5426\u5b9a\u3059\u308b\u3053\u3068\u3067\u306f\u306a\u304f\u3001\u5371\u967a\u306e\u7a2e\u985e\u3092\u5206\u985e\u3059\u308b\u3053\u3068\u3067\u3042\u308b\u3002\u4eca\u56de\u306e\u7cfb\u5217\u3068\u3057\u3066\u5bfe\u8c61\u5916\u3067\u3042\u308b\u3053\u3068\u306f\u3001Copy Fail \/ Dirty Frag \u578b\u306e\u5b9f\u884c\u6642\u610f\u5473\u6c5a\u67d3\u3068\u3057\u3066\u306f\u512a\u5148\u5ea6\u304c\u4f4e\u3044\u3068\u3044\u3046\u610f\u5473\u306b\u3059\u304e\u306a\u3044\u3002<\/p>\n

\u6700\u7d42\u7684\u306b\u3001\u5bfe\u8c61\u5916\u306e\u5b9a\u7fa9\u306f\u8abf\u67fb\u306e\u7cbe\u5ea6\u3092\u4e0a\u3052\u308b\u305f\u3081\u306b\u4f7f\u3046\u3079\u304d\u3067\u3042\u308b\u3002\u4eca\u56de\u898b\u308b\u3079\u304d\u3082\u306e\u306f\u3001\u8aad\u307f\u53d6\u308a\u5c02\u7528\u7531\u6765\u306e page cache \u304c copy \u3055\u308c\u305a\u306b\u5225\u7d4c\u8def\u3078\u6e21\u308a\u3001in-place \u51e6\u7406\u3067\u51fa\u529b\u5148\u5316\u3057\u3001\u9ad8\u6a29\u9650\u6587\u8108\u3067\u518d\u5229\u7528\u3055\u308c\u308b\u5834\u6240\u3067\u3042\u308b\u3002\u305d\u308c\u4ee5\u5916\u3092\u7121\u8996\u3057\u3066\u3088\u3044\u308f\u3051\u3067\u306f\u306a\u3044\u3002\u305f\u3060\u3057\u3001\u305d\u308c\u4ee5\u5916\u306f\u5225\u306e bug class \u3068\u3057\u3066\u3001\u5225\u306e\u89b3\u70b9\u3067\u8abf\u67fb\u3059\u3079\u304d\u3067\u3042\u308b\u3002\u5bfe\u8c61\u5916\u3068\u306f\u3001\u5b89\u5168\u306e\u8a3c\u660e\u3067\u306f\u306a\u304f\u3001\u4eca\u56de\u306e\u4e0d\u5909\u6761\u4ef6\u9055\u53cd\u3068\u306f\u7570\u306a\u308b\u554f\u984c\u3068\u3057\u3066\u5207\u308a\u5206\u3051\u308b\u305f\u3081\u306e\u5206\u985e\u3067\u3042\u308b\u3002<\/p>\n

\n

11. page cache write \u4ee5\u5916\u306e LPE \u7cfb\u7d71<\/h2>\n

Copy Fail \/ Dirty Frag \u578b\u306e\u6761\u4ef6\u3092\u5916\u308c\u305f\u3068\u3057\u3066\u3082\u3001Linux kernel LPE \u306e\u5fc3\u914d\u304c\u6d88\u3048\u308b\u308f\u3051\u3067\u306f\u306a\u3044\u3002\u3053\u3053\u3092\u8aa4\u308b\u3068\u3001\u8b70\u8ad6\u304c page cache write \u306b\u904e\u5ea6\u306b\u9589\u3058\u308b\u3002\u4eca\u56de\u306e\u4e2d\u5fc3\u306f\u3001\u8aad\u307f\u53d6\u308a\u5c02\u7528\u7531\u6765\u306e page cache \u304c copy \u3055\u308c\u305a\u306b\u5225\u30b5\u30d6\u30b7\u30b9\u30c6\u30e0\u3078\u6e21\u3055\u308c\u3001\u5f8c\u6bb5\u3067 in-place \u306b\u66f8\u304d\u63db\u3048\u3089\u308c\u308b\u69cb\u9020\u3067\u3042\u308b\u3002\u3057\u304b\u3057\u3001Linux kernel LPE \u5168\u4f53\u306b\u306f\u3001use-after-free\u3001out-of-bounds write\u3001refcount bug\u3001type confusion\u3001TOCTOU\u3001credential overwrite\u3001namespace escape\u3001capability bypass\u3001eBPF verifier bug\u3001io_uring bug\u3001filesystem logic bug \u306a\u3069\u3001\u5225\u306e\u7cfb\u7d71\u304c\u5b58\u5728\u3059\u308b\u3002\u3053\u308c\u3089\u306f page cache \u3092\u6c5a\u67d3\u3057\u306a\u304f\u3066\u3082\u3001\u5225\u306e\u610f\u5473\u304c\u58ca\u308c\u308b\u3053\u3068\u3067\u6a29\u9650\u5883\u754c\u3092\u7834\u308b\u3002<\/p>\n

\u3057\u305f\u304c\u3063\u3066\u3001\u4eca\u56de\u306e\u8a71\u306f page cache \u306b\u9589\u3058\u306a\u3044\u3002page cache write \u306f\u3001\u4e0a\u4f4d\u306e\u5b89\u5168\u610f\u5473\u304c\u4e0b\u4f4d\u3067\u5931\u308f\u308c\u308b\u5177\u4f53\u4f8b\u3067\u3042\u308b\u3002Copy Fail \/ Dirty Frag \u3067\u306f\u3001\u5931\u308f\u308c\u305f\u610f\u5473\u306f provenance\u3001writability\u3001sharing\u3001direction\u3001execution context \u3060\u3063\u305f\u3002\u3064\u307e\u308a\u3001\u3069\u3053\u304b\u3089\u6765\u305f page \u306a\u306e\u304b\u3001\u66f8\u3044\u3066\u3088\u3044\u306e\u304b\u3001\u5171\u6709\u3055\u308c\u3066\u3044\u308b\u306e\u304b\u3001\u5165\u529b\u306a\u306e\u304b\u51fa\u529b\u306a\u306e\u304b\u3001\u5f8c\u3067\u3069\u306e\u6a29\u9650\u6587\u8108\u3067\u8aad\u307e\u308c\u308b\u306e\u304b\u3001\u3068\u3044\u3046\u610f\u5473\u304c\u4fdd\u5b58\u3055\u308c\u306a\u304b\u3063\u305f\u3002\u5225\u306e LPE \u3067\u306f\u3001\u5931\u308f\u308c\u308b\u610f\u5473\u304c lifetime \u306a\u3089 use-after-free\u3001type \u306a\u3089 type confusion\u3001authority \u306a\u3089 credential overwrite \u3084 capability bypass\u3001boundary \u306a\u3089 out-of-bounds write \u306b\u306a\u308b\u3002<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
LPE \u7cfb\u7d71<\/th>\n\u5931\u308f\u308c\u308b\u610f\u5473<\/th>\n\u4f55\u304c\u8d77\u304d\u308b\u304b<\/th>\npage cache write \u3068\u306e\u95a2\u4fc2<\/th>\n<\/tr>\n<\/thead>\n
use-after-free<\/td>\nobject lifetime<\/td>\n\u89e3\u653e\u6e08\u307f object \u304c\u307e\u3060\u6709\u52b9\u3067\u3042\u308b\u304b\u306e\u3088\u3046\u306b\u53c2\u7167\u3055\u308c\u3001\u5225\u7528\u9014\u306b\u518d\u5229\u7528\u3055\u308c\u305f\u30e1\u30e2\u30ea\u3092\u64cd\u4f5c\u3067\u304d\u308b\u3002<\/td>\npage cache \u6c5a\u67d3\u3068\u306f\u5225\u7cfb\u7d71\u3060\u304c\u3001\u610f\u5473\u4fdd\u5b58\u306e\u5931\u6557\u3068\u3044\u3046\u70b9\u3067\u306f\u540c\u3058\u3067\u3042\u308b\u3002<\/td>\n<\/tr>\n
out-of-bounds write<\/td>\nbuffer boundary<\/td>\n\u672c\u6765\u306e buffer \u5883\u754c\u3092\u8d8a\u3048\u3066\u96a3\u63a5\u9818\u57df\u3092\u66f8\u304d\u63db\u3048\u3001kernel object \u3084\u5236\u5fa1\u60c5\u5831\u3092\u7834\u58ca\u3067\u304d\u308b\u3002<\/td>\nread-only page \u306e\u610f\u5473\u3067\u306f\u306a\u304f\u3001\u66f8\u304d\u8fbc\u307f\u53ef\u80fd\u7bc4\u56f2\u306e\u610f\u5473\u304c\u58ca\u308c\u308b\u3002<\/td>\n<\/tr>\n
refcount bug<\/td>\nownership \/ lifetime<\/td>\n\u53c2\u7167\u6570\u306e\u5897\u6e1b\u304c\u58ca\u308c\u3001\u307e\u3060\u4f7f\u308f\u308c\u3066\u3044\u308b object \u304c\u89e3\u653e\u3055\u308c\u305f\u308a\u3001\u4e0d\u8981\u306a object \u304c\u6b8b\u308a\u7d9a\u3051\u305f\u308a\u3059\u308b\u3002<\/td>\npage \u306e\u5171\u6709\u6027\u3067\u306f\u306a\u304f\u3001object \u306e\u6240\u6709\u3068\u5bff\u547d\u306e\u610f\u5473\u304c\u58ca\u308c\u308b\u3002<\/td>\n<\/tr>\n
type confusion<\/td>\nobject type<\/td>\n\u3042\u308b\u578b\u306e object \u304c\u5225\u306e\u578b\u3068\u3057\u3066\u89e3\u91c8\u3055\u308c\u3001\u60f3\u5b9a\u5916\u306e field \u3084 function pointer \u3092\u64cd\u4f5c\u3067\u304d\u308b\u3002<\/td>\npage cache \u3067\u306f\u306a\u304f\u3001object \u304c\u4f55\u3067\u3042\u308b\u304b\u3068\u3044\u3046\u610f\u5473\u304c\u58ca\u308c\u308b\u3002<\/td>\n<\/tr>\n
TOCTOU<\/td>\ncheck \u3068 use \u306e\u4e00\u8cab\u6027<\/td>\n\u691c\u67fb\u6642\u70b9\u3067\u306f\u5b89\u5168\u3060\u3063\u305f\u5bfe\u8c61\u304c\u3001\u4f7f\u7528\u6642\u70b9\u3067\u306f\u5225\u306e\u5bfe\u8c61\u3084\u72b6\u614b\u306b\u3059\u308a\u66ff\u308f\u308b\u3002<\/td>\npage \u305d\u306e\u3082\u306e\u3067\u306f\u306a\u304f\u3001\u691c\u67fb\u3055\u308c\u305f\u610f\u5473\u304c\u4f7f\u7528\u6642\u307e\u3067\u4fdd\u5b58\u3055\u308c\u306a\u3044\u3002<\/td>\n<\/tr>\n
credential overwrite<\/td>\nauthority<\/td>\ncred \u69cb\u9020\u4f53\u306a\u3069\u304c\u66f8\u304d\u63db\u3048\u3089\u308c\u3001\u5b9f\u52b9 UID\u3001capability\u3001\u6a29\u9650\u72b6\u614b\u304c\u4e0d\u6b63\u306b\u5909\u308f\u308b\u3002<\/td>\npage cache \u3092\u4ecb\u3055\u305a\u3001\u6a29\u9650\u4e3b\u4f53\u305d\u306e\u3082\u306e\u306e\u610f\u5473\u304c\u58ca\u308c\u308b\u3002<\/td>\n<\/tr>\n
namespace escape<\/td>\nisolation boundary<\/td>\ncontainer\u3001mount namespace\u3001user namespace \u306a\u3069\u306e\u9694\u96e2\u5883\u754c\u3092\u8d8a\u3048\u3066\u3001\u5916\u5074\u306e\u8cc7\u6e90\u3078\u5230\u9054\u3059\u308b\u3002<\/td>\nread-only page \u3067\u306f\u306a\u304f\u3001\u9589\u3058\u8fbc\u3081\u3089\u308c\u3066\u3044\u308b\u7bc4\u56f2\u306e\u610f\u5473\u304c\u58ca\u308c\u308b\u3002<\/td>\n<\/tr>\n
capability bypass<\/td>\nprivilege model<\/td>\n\u672c\u6765\u5fc5\u8981\u306a capability check \u304c\u629c\u3051\u305f\u308a\u3001\u8aa4\u3063\u305f namespace \u6587\u8108\u3067\u8a55\u4fa1\u3055\u308c\u305f\u308a\u3059\u308b\u3002<\/td>\n\u66f8\u304d\u8fbc\u307f\u5bfe\u8c61\u3067\u306f\u306a\u304f\u3001\u64cd\u4f5c\u4e3b\u4f53\u304c\u4f55\u3092\u8a31\u53ef\u3055\u308c\u3066\u3044\u308b\u304b\u306e\u610f\u5473\u304c\u58ca\u308c\u308b\u3002<\/td>\n<\/tr>\n
eBPF verifier bug<\/td>\nsafety proof<\/td>\nverifier \u304c\u5b89\u5168\u3060\u3068\u5224\u65ad\u3057\u305f eBPF program \u304c\u3001\u5b9f\u969b\u306b\u306f\u4e0d\u6b63\u306a memory access \u3084 kernel \u60c5\u5831\u64cd\u4f5c\u3092\u884c\u3046\u3002<\/td>\npage cache \u3067\u306f\u306a\u304f\u3001\u691c\u8a3c\u6e08\u307f\u3067\u3042\u308b\u3068\u3044\u3046\u610f\u5473\u304c\u58ca\u308c\u308b\u3002<\/td>\n<\/tr>\n
io_uring bug<\/td>\nasync context \/ lifetime<\/td>\nsubmit \u6642\u70b9\u3068 completion \u6642\u70b9\u306e buffer\u3001file\u3001credential\u3001task context \u306e\u95a2\u4fc2\u304c\u305a\u308c\u3001\u60f3\u5b9a\u5916\u306e\u64cd\u4f5c\u304c\u6210\u7acb\u3059\u308b\u3002<\/td>\n\u975e\u540c\u671f\u51e6\u7406\u306b\u3088\u308a\u3001\u6240\u6709\u6a29\u3001\u5bff\u547d\u3001\u6a29\u9650\u6587\u8108\u306e\u610f\u5473\u304c\u4fdd\u5b58\u3055\u308c\u306b\u304f\u304f\u306a\u308b\u3002<\/td>\n<\/tr>\n
filesystem logic bug<\/td>\npath \/ mount \/ ownership meaning<\/td>\noverlayfs\u3001FUSE\u3001network filesystem \u306a\u3069\u3067\u3001\u4e0a\u4f4d\u306e path \u3084\u6a29\u9650\u610f\u5473\u3068\u4e0b\u4f4d\u306e\u5b9f\u4f53\u304c\u305a\u308c\u308b\u3002<\/td>\npage cache write \u3068\u8fd1\u3044\u5834\u5408\u3082\u3042\u308b\u304c\u3001\u4e3b\u554f\u984c\u306f\u30d5\u30a1\u30a4\u30eb\u30b7\u30b9\u30c6\u30e0\u4e0a\u306e\u610f\u5473\u5bfe\u5fdc\u306e\u7834\u7dbb\u3067\u3042\u308b\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u3053\u306e\u4e00\u89a7\u304b\u3089\u5206\u304b\u308b\u3088\u3046\u306b\u3001LPE \u306e\u7cfb\u7d71\u306f\u591a\u69d8\u3067\u3042\u308b\u3002\u3057\u304b\u3057\u3001\u62bd\u8c61\u5316\u3059\u308c\u3070\u3001\u3044\u305a\u308c\u3082\u300c\u5b89\u5168\u4e0a\u5fc5\u8981\u306a\u610f\u5473\u304c\u51e6\u7406\u7d4c\u8def\u306e\u3069\u3053\u304b\u3067\u5931\u308f\u308c\u308b\u300d\u554f\u984c\u3068\u3057\u3066\u8aad\u3081\u308b\u3002use-after-free \u3067\u306f\u3001object \u304c\u307e\u3060\u751f\u304d\u3066\u3044\u308b\u3068\u3044\u3046\u610f\u5473\u304c\u5931\u308f\u308c\u308b\u3002type confusion \u3067\u306f\u3001object \u304c\u4f55\u3067\u3042\u308b\u304b\u3068\u3044\u3046\u610f\u5473\u304c\u5931\u308f\u308c\u308b\u3002TOCTOU \u3067\u306f\u3001\u691c\u67fb\u6642\u306b\u78ba\u8a8d\u3057\u305f\u610f\u5473\u304c\u4f7f\u7528\u6642\u307e\u3067\u4fdd\u5b58\u3055\u308c\u306a\u3044\u3002credential overwrite \u3067\u306f\u3001\u8ab0\u306e\u6a29\u9650\u3067\u52d5\u3044\u3066\u3044\u308b\u304b\u3068\u3044\u3046\u610f\u5473\u304c\u58ca\u308c\u308b\u3002namespace escape \u3067\u306f\u3001\u3069\u306e\u5883\u754c\u306e\u5185\u5074\u306b\u3044\u308b\u304b\u3068\u3044\u3046\u610f\u5473\u304c\u58ca\u308c\u308b\u3002<\/p>\n

\u3053\u306e\u89b3\u70b9\u306b\u7acb\u3064\u3068\u3001Copy Fail \/ Dirty Frag \u578b\u306e page cache write \u306f\u3001Linux kernel LPE \u306e\u4e2d\u306e\u4e00\u4e8b\u4f8b\u3068\u3057\u3066\u4f4d\u7f6e\u3065\u3051\u3089\u308c\u308b\u3002\u7279\u6b8a\u306a\u306e\u306f\u3001\u30d5\u30a1\u30a4\u30eb\u30b7\u30b9\u30c6\u30e0\u4e0a\u3067\u306f\u8aad\u307f\u53d6\u308a\u5c02\u7528\u3067\u3042\u308b\u306f\u305a\u306e file-backed shared page \u304c\u3001\u5225\u30b5\u30d6\u30b7\u30b9\u30c6\u30e0\u3067\u306f\u5358\u306a\u308b fragment \u3084 buffer \u3068\u3057\u3066\u6271\u308f\u308c\u3001\u5b9f\u884c\u6642\u306b\u8aad\u307e\u308c\u308b\u5185\u5bb9\u304c\u6c5a\u67d3\u3055\u308c\u308b\u70b9\u3067\u3042\u308b\u3002\u3057\u304b\u3057\u3001\u6839\u672c\u539f\u7406\u306f\u4ed6\u306e LPE \u3068\u9023\u7d9a\u3057\u3066\u3044\u308b\u3002\u5b89\u5168\u6027\u306f\u3001byte \u5217\u305d\u306e\u3082\u306e\u3067\u306f\u306a\u304f\u3001byte \u5217\u3084 object \u306b\u4ed8\u968f\u3059\u308b\u610f\u5473\u304c\u51e6\u7406\u7d4c\u8def\u5168\u4f53\u3067\u4fdd\u5b58\u3055\u308c\u308b\u3053\u3068\u3067\u6210\u7acb\u3059\u308b\u3002<\/p>\n

\u3057\u305f\u304c\u3063\u3066\u3001page cache write \u4ee5\u5916\u306e LPE \u7cfb\u7d71\u3092\u672c\u6587\u306b\u542b\u3081\u308b\u3053\u3068\u306b\u306f\u610f\u5473\u304c\u3042\u308b\u3002\u305d\u308c\u306f\u8ad6\u70b9\u3092\u6563\u3089\u3059\u305f\u3081\u3067\u306f\u306a\u3044\u3002\u4eca\u56de\u306e\u8a71\u3092 page cache \u3060\u3051\u306e\u7279\u6b8a\u4e8b\u60c5\u306b\u9589\u3058\u8fbc\u3081\u305a\u3001Linux kernel security \u5168\u4f53\u306b\u901a\u3058\u308b\u539f\u7406\u3078\u5f15\u304d\u4e0a\u3052\u308b\u305f\u3081\u3067\u3042\u308b\u3002Copy Fail \u3068 Dirty Frag \u306f\u3001provenance\u3001writability\u3001sharing\u3001direction\u3001execution context \u306e\u4fdd\u5b58\u306b\u5931\u6557\u3057\u305f\u4e8b\u4f8b\u3067\u3042\u308b\u3002\u5225\u306e LPE \u306f\u3001lifetime\u3001type\u3001authority\u3001boundary\u3001isolation\u3001safety proof \u306e\u4fdd\u5b58\u306b\u5931\u6557\u3057\u305f\u4e8b\u4f8b\u3067\u3042\u308b\u3002\u5931\u308f\u308c\u308b\u610f\u5473\u306f\u9055\u3046\u304c\u3001\u610f\u5473\u4fdd\u5b58\u306e\u7834\u7dbb\u304c\u6a29\u9650\u5883\u754c\u3092\u58ca\u3059\u3068\u3044\u3046\u69cb\u9020\u306f\u5171\u901a\u3057\u3066\u3044\u308b\u3002<\/p>\n

\n

12. byte \u3068\u610f\u5473\u3092\u5206\u3051\u308b<\/h2>\n

\u30ab\u30fc\u30cd\u30eb\u306f byte \u5217\u3092\u6271\u3063\u3066\u3044\u308b\u3088\u3046\u306b\u898b\u3048\u308b\u3002\u5b9f\u969b\u3001\u30e1\u30e2\u30ea\u4e0a\u306b\u5b58\u5728\u3059\u308b\u306e\u306f\u3001\u6700\u7d42\u7684\u306b\u306f\u6570\u5024\u3068\u3057\u3066\u89e3\u91c8\u53ef\u80fd\u306a byte \u306e\u4e26\u3073\u3067\u3042\u308b\u3002\u3057\u304b\u3057\u3001\u5b89\u5168\u6027\u306f byte \u5217\u3060\u3051\u3067\u306f\u6c7a\u307e\u3089\u306a\u3044\u3002\u540c\u3058 byte \u5217\u3067\u3082\u3001\u305d\u308c\u304c file-backed page \u306a\u306e\u304b\u3001anonymous page \u306a\u306e\u304b\u3001shared \u306a\u306e\u304b\u3001private \u306a\u306e\u304b\u3001\u5165\u529b\u306a\u306e\u304b\u3001\u51fa\u529b\u306a\u306e\u304b\u3001\u8ab0\u306e\u6a29\u9650\u3067\u64cd\u4f5c\u3055\u308c\u3066\u3044\u308b\u306e\u304b\u3001\u5f8c\u3067\u3069\u306e\u6a29\u9650\u6587\u8108\u3067\u8aad\u307e\u308c\u308b\u306e\u304b\u306b\u3088\u3063\u3066\u3001\u5b89\u5168\u4e0a\u306e\u610f\u5473\u306f\u5909\u308f\u308b\u3002\u3064\u307e\u308a\u3001\u30ab\u30fc\u30cd\u30eb\u304c\u6271\u3063\u3066\u3044\u308b\u5bfe\u8c61\u306f\u3001\u5358\u306a\u308b byte \u5217\u3067\u306f\u306a\u304f\u3001byte \u5217\u3068\u305d\u308c\u306b\u4ed8\u968f\u3059\u308b\u6587\u8108\u60c5\u5831\u306e\u7d44\u3067\u3042\u308b\u3002<\/p>\n

\u305f\u3068\u3048\u3070\u3001\u540c\u3058 4096 byte \u306e page \u3067\u3042\u3063\u3066\u3082\u3001\u305d\u308c\u304c\u4e00\u822c\u30e6\u30fc\u30b6\u30fc\u304c\u8aad\u307f\u53d6\u308a\u53ef\u80fd\u306a\u901a\u5e38\u30d5\u30a1\u30a4\u30eb\u7531\u6765\u306e page cache \u3067\u3042\u308b\u5834\u5408\u3068\u3001kernel \u5185\u90e8\u3067\u78ba\u4fdd\u3055\u308c\u305f private buffer \u3067\u3042\u308b\u5834\u5408\u3067\u306f\u3001\u66f8\u304d\u63db\u3048\u3066\u3088\u3044\u304b\u3069\u3046\u304b\u304c\u307e\u3063\u305f\u304f\u7570\u306a\u308b\u3002\u524d\u8005\u306f\u3001\u30d5\u30a1\u30a4\u30eb\u30b7\u30b9\u30c6\u30e0\u4e0a\u3067\u306f\u300c\u8aad\u3081\u308b\u304c\u66f8\u3051\u306a\u3044\u300d\u5bfe\u8c61\u3067\u3042\u308a\u3001\u5f8c\u3067 setuid root \u30d0\u30a4\u30ca\u30ea\u3001\u5171\u6709\u30e9\u30a4\u30d6\u30e9\u30ea\u3001\u8a8d\u8a3c\u51e6\u7406\u3001dynamic loader \u306a\u3069\u304b\u3089\u8aad\u307e\u308c\u308b\u53ef\u80fd\u6027\u304c\u3042\u308b\u3002\u5f8c\u8005\u306f\u3001\u7279\u5b9a\u306e\u51e6\u7406\u304c\u4f5c\u696d\u9818\u57df\u3068\u3057\u3066\u78ba\u4fdd\u3057\u305f\u4e00\u6642 buffer \u304b\u3082\u3057\u308c\u306a\u3044\u3002byte \u5217\u3060\u3051\u3092\u898b\u308c\u3070\u4e21\u8005\u306f\u540c\u3058\u9577\u3055\u306e\u30e1\u30e2\u30ea\u9818\u57df\u306b\u3059\u304e\u306a\u3044\u304c\u3001\u5b89\u5168\u4e0a\u306e\u610f\u5473\u306f\u7570\u306a\u308b\u3002<\/p>\n\n\n\n\n\n\n\n\n\n
\u89b3\u70b9<\/th>\nbyte \u3068\u3057\u3066\u898b\u305f\u5834\u5408<\/th>\n\u610f\u5473\u3068\u3057\u3066\u898b\u305f\u5834\u5408<\/th>\nDirty Frag \/ Copy Fail \u3067\u91cd\u8981\u306b\u306a\u308b\u7406\u7531<\/th>\n<\/tr>\n<\/thead>\n
\u7531\u6765<\/td>\n\u3042\u308b page \u306b\u8f09\u3063\u3066\u3044\u308b byte \u5217\u3067\u3042\u308b\u3002<\/td>\nfile-backed page \u306a\u306e\u304b\u3001anonymous page \u306a\u306e\u304b\u3001kernel-private buffer \u306a\u306e\u304b\u304c\u7570\u306a\u308b\u3002<\/td>\nfile-backed read-only page cache \u306a\u3089\u3001\u547c\u3073\u51fa\u3057\u5143\u304c\u66f8\u304d\u63db\u3048\u3066\u3088\u3044\u3068\u306f\u9650\u3089\u306a\u3044\u3002<\/td>\n<\/tr>\n
\u5171\u6709\u6027<\/td>\n\u540c\u3058\u7269\u7406 page \u4e0a\u306e byte \u5217\u3067\u3042\u308b\u3002<\/td>\nshared page \u306a\u306e\u304b\u3001private page \u306a\u306e\u304b\u304c\u7570\u306a\u308b\u3002<\/td>\nshared page cache \u3092\u66f8\u304d\u63db\u3048\u308b\u3068\u3001\u5225\u6587\u8108\u3067\u8aad\u307e\u308c\u308b\u5185\u5bb9\u307e\u3067\u5909\u308f\u308b\u3002<\/td>\n<\/tr>\n
\u66f8\u304d\u8fbc\u307f\u53ef\u5426<\/td>\n\u30e1\u30e2\u30ea\u4e0a\u3067\u306f\u5024\u3092\u66f8\u304d\u63db\u3048\u3089\u308c\u308b\u53ef\u80fd\u6027\u304c\u3042\u308b\u3002<\/td>\n\u6a29\u9650\u30e2\u30c7\u30eb\u4e0a\u3001\u305d\u306e\u4e3b\u4f53\u304c\u66f8\u3044\u3066\u3088\u3044\u304b\u3069\u3046\u304b\u306f\u5225\u3067\u3042\u308b\u3002<\/td>\n\u8aad\u307f\u53d6\u308a\u5c02\u7528\u7531\u6765\u306e page \u304c destination \u5316\u3059\u308b\u3068\u3001\u8aad\u307f\u53d6\u308a\u6a29\u9650\u304c\u5b9f\u8cea\u7684\u306a\u66f8\u304d\u63db\u3048\u80fd\u529b\u3078\u5909\u308f\u308b\u3002<\/td>\n<\/tr>\n
\u5165\u51fa\u529b\u65b9\u5411<\/td>\nbuffer \u3068\u3057\u3066\u51e6\u7406\u5bfe\u8c61\u306b\u306a\u308b\u3002<\/td>\n\u5165\u529b\u306a\u306e\u304b\u3001\u51fa\u529b\u306a\u306e\u304b\u3001\u5165\u51fa\u529b\u517c\u7528\u306a\u306e\u304b\u304c\u7570\u306a\u308b\u3002<\/td>\n\u5165\u529b\u3068\u3057\u3066\u6e21\u3055\u308c\u305f page \u304c in-place \u51e6\u7406\u3067\u51fa\u529b\u5148\u306b\u306a\u308b\u3068\u3001\u610f\u5473\u5883\u754c\u304c\u58ca\u308c\u308b\u3002<\/td>\n<\/tr>\n
\u5b9f\u884c\u6587\u8108<\/td>\nbyte \u5217\u304c\u5f8c\u3067\u8aad\u307e\u308c\u308b\u3002<\/td>\n\u4e00\u822c\u30e6\u30fc\u30b6\u30fc\u6587\u8108\u3067\u8aad\u307e\u308c\u308b\u306e\u304b\u3001root \u6587\u8108\u3067\u8aad\u307e\u308c\u308b\u306e\u304b\u304c\u7570\u306a\u308b\u3002<\/td>\n\u6c5a\u67d3\u3055\u308c\u305f page \u304c root \u6587\u8108\u3067\u8aad\u307e\u308c\u308b\u3068\u3001LPE \u306b\u63a5\u7d9a\u3059\u308b\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Copy Fail \/ Dirty Frag \u306e\u554f\u984c\u306f\u3001byte \u5217\u304c\u901a\u5e38\u306e\u610f\u5473\u3067\u5909\u63db\u3055\u308c\u305f\u3053\u3068\u3067\u306f\u306a\u3044\u3002\u554f\u984c\u306f\u3001byte \u5217\u306b\u4ed8\u968f\u3057\u3066\u3044\u305f\u5b89\u5168\u4e0a\u306e\u610f\u5473\u304c\u4fdd\u5b58\u3055\u308c\u306a\u304b\u3063\u305f\u3053\u3068\u3067\u3042\u308b\u3002\u30d5\u30a1\u30a4\u30eb\u30b7\u30b9\u30c6\u30e0\u306f\u3001\u3053\u306e page \u304c\u8aad\u307f\u53d6\u308a\u5c02\u7528\u30d5\u30a1\u30a4\u30eb\u7531\u6765\u3067\u3042\u308b\u3053\u3068\u3092\u77e5\u3063\u3066\u3044\u308b\u3002\u30e1\u30e2\u30ea\u7ba1\u7406\u306f\u3001\u3053\u308c\u304c shared page cache \u3067\u3042\u308b\u3053\u3068\u3092\u77e5\u3063\u3066\u3044\u308b\u3002\u3057\u304b\u3057\u3001scatterlist \u3084 skb frag \u306b\u5305\u307e\u308c\u305f\u77ac\u9593\u3001\u305d\u308c\u306f\u5358\u306a\u308b fragment\u3001buffer\u3001payload\u3001\u51e6\u7406\u5bfe\u8c61\u3068\u3057\u3066\u898b\u3048\u3084\u3059\u304f\u306a\u308b\u3002\u3053\u3053\u3067 file-backed\u3001shared\u3001read-only\u3001input\u3001root-reachable \u3068\u3044\u3046\u610f\u5473\u304c\u843d\u3061\u308b\u3068\u3001\u5f8c\u6bb5\u51e6\u7406\u306f\u305d\u306e page \u3092\u66f8\u304d\u63db\u3048\u3066\u3088\u3044\u4f5c\u696d\u9818\u57df\u306e\u3088\u3046\u306b\u6271\u3063\u3066\u3057\u307e\u3046\u3002<\/p>\n

\u3053\u306e\u610f\u5473\u306e\u5265\u843d\u304c\u3001\u5b9f\u884c\u6642\u610f\u5473\u306e\u6c5a\u67d3\u3092\u751f\u3080\u3002byte \u306f\u540c\u3058 page \u306b\u8f09\u3063\u3066\u3044\u308b\u3002\u3057\u304b\u3057\u3001\u305d\u3053\u306b\u4ed8\u968f\u3057\u3066\u3044\u305f\u300c\u66f8\u3044\u3066\u306f\u3044\u3051\u306a\u3044\u300d\u300c\u5165\u529b\u3067\u3042\u308b\u300d\u300c\u5171\u6709\u3055\u308c\u3066\u3044\u308b\u300d\u300c\u5f8c\u3067 root \u6587\u8108\u3067\u8aad\u307e\u308c\u308b\u300d\u3068\u3044\u3046\u610f\u5473\u304c\u6d88\u3048\u308b\u3002Dirty Frag \u3068 Copy Fail \u306f\u3001\u3044\u305a\u308c\u3082\u3053\u306e\u610f\u5473\u306e\u5265\u843d\u304c page cache \u6c5a\u67d3\u3068\u3057\u3066\u73fe\u308c\u305f\u4e8b\u4f8b\u3067\u3042\u308b\u3002\u3057\u305f\u304c\u3063\u3066\u3001\u3053\u306e\u554f\u984c\u3092\u7406\u89e3\u3059\u308b\u306b\u306f\u3001byte \u5217\u3068\u610f\u5473\u3092\u5206\u3051\u3066\u8003\u3048\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002<\/p>\n

\n

13. \u610f\u5473\u4fdd\u5b58\u30e2\u30c7\u30eb\u3092\u5c0e\u5165\u3059\u308b<\/h2>\n

\u3053\u306e\u69cb\u9020\u306f\u3001\u7c21\u5358\u306a\u6570\u7406\u30e2\u30c7\u30eb\u3068\u3057\u3066\u8868\u305b\u308b\u3002\u307e\u305a\u3001\u30ab\u30fc\u30cd\u30eb\u5185\u90e8\u3067\u6271\u308f\u308c\u308b\u5bfe\u8c61\u3092\u3001\u5358\u306a\u308b byte \u5217\u3067\u306f\u306a\u304f\u3001byte \u5217\u3068\u610f\u5473\u306e\u7d44\u3068\u3057\u3066\u5b9a\u7fa9\u3059\u308b\u3002\u30c7\u30fc\u30bf\u672c\u4f53\u3092 \\(D\\)\u3001\u305d\u306e\u30c7\u30fc\u30bf\u306b\u4ed8\u968f\u3059\u308b\u5b89\u5168\u4e0a\u306e\u610f\u5473\u3092 \\(M\\) \u3068\u7f6e\u304f\u3002\u3053\u306e\u3068\u304d\u3001\u51e6\u7406\u5bfe\u8c61 \\(X\\) \u306f\u6b21\u306e\u3088\u3046\u306b\u8868\u305b\u308b\u3002<\/p>\n

\n\\[
\nX = (D, M)
\n\\]\n<\/div>\n

\u3053\u306e\u5f0f\u306f\u3001\u51e6\u7406\u5bfe\u8c61 \\(X\\) \u304c byte \u5217 \\(D\\) \u3060\u3051\u3067\u306f\u306a\u304f\u3001\u610f\u5473 \\(M\\) \u3068\u4e00\u4f53\u3067\u5b58\u5728\u3057\u3066\u3044\u308b\u3053\u3068\u3092\u8868\u3059\u3002\u3053\u3053\u3067 \\(D\\) \u306f\u5b9f\u969b\u306e\u30c7\u30fc\u30bf\u3067\u3042\u308b\u3002\u305f\u3068\u3048\u3070\u3001\u30d5\u30a1\u30a4\u30eb\u5185\u5bb9\u3001\u5b9f\u884c\u30d5\u30a1\u30a4\u30eb\u306e\u547d\u4ee4\u5217\u3001\u8a8d\u8a3c\u51e6\u7406\u304c\u8aad\u3080\u8a2d\u5b9a\u3001\u5171\u6709\u30e9\u30a4\u30d6\u30e9\u30ea\u306e\u5185\u5bb9\u306a\u3069\u3067\u3042\u308b\u3002\u4e00\u65b9\u3001\\(M\\) \u306f\u3001\u305d\u306e byte \u5217\u304c\u3069\u306e\u3088\u3046\u306a\u5b89\u5168\u4e0a\u306e\u6587\u8108\u306b\u7f6e\u304b\u308c\u3066\u3044\u308b\u304b\u3092\u8868\u3059\u3002\u305f\u3068\u3048\u3070\u3001\u3069\u3053\u304b\u3089\u6765\u305f page \u306a\u306e\u304b\u3001\u8ab0\u304c\u6240\u6709\u3057\u3066\u3044\u308b\u306e\u304b\u3001\u66f8\u3044\u3066\u3088\u3044\u306e\u304b\u3001\u5171\u6709\u3055\u308c\u3066\u3044\u308b\u306e\u304b\u3001\u3044\u3064\u307e\u3067\u6709\u52b9\u306a\u306e\u304b\u3001\u5165\u529b\u306a\u306e\u304b\u51fa\u529b\u306a\u306e\u304b\u3001\u8ab0\u306e\u6a29\u9650\u3067\u6271\u308f\u308c\u3066\u3044\u308b\u306e\u304b\u3001\u5f8c\u3067\u3069\u306e\u6a29\u9650\u6587\u8108\u3067\u8aad\u307e\u308c\u308b\u306e\u304b\u3001\u3068\u3044\u3046\u60c5\u5831\u3067\u3042\u308b\u3002<\/p>\n

\u3053\u306e \\(M\\) \u3092\u3001\u3082\u3046\u5c11\u3057\u5206\u89e3\u3057\u3066\u66f8\u304f\u3002\u3053\u3053\u3067\u306f\u3001provenance \u3092 \\(P\\)\u3001ownership \u3092 \\(O\\)\u3001writability \u3092 \\(W\\)\u3001sharing \u3092 \\(S\\)\u3001lifetime \u3092 \\(L\\)\u3001direction \u3092 \\(T\\)\u3001authority \u3092 \\(A\\)\u3001execution context \u3092 \\(C\\) \u3068\u7f6e\u304f\u3002\u3059\u308b\u3068\u3001\u610f\u5473 \\(M\\) \u306f\u6b21\u306e\u3088\u3046\u306a\u7d44\u3068\u3057\u3066\u8868\u305b\u308b\u3002<\/p>\n

\n\\[
\nM = (P, O, W, S, L, T, A, C)
\n\\]\n<\/div>\n

\u3053\u306e\u5f0f\u306e\u610f\u5473\u306f\u3001\\(M\\) \u304c\u4e00\u3064\u306e\u62bd\u8c61\u8a9e\u3067\u306f\u306a\u304f\u3001\u8907\u6570\u306e\u5b89\u5168\u5c5e\u6027\u306e\u675f\u3067\u3042\u308b\u3068\u3044\u3046\u3053\u3068\u3067\u3042\u308b\u3002\\(P\\) \u306f provenance\u3001\u3064\u307e\u308a\u30c7\u30fc\u30bf\u306e\u7531\u6765\u3067\u3042\u308b\u3002file-backed page \u306a\u306e\u304b\u3001anonymous page \u306a\u306e\u304b\u3001kernel-private buffer \u306a\u306e\u304b\u3092\u8868\u3059\u3002\\(O\\) \u306f ownership\u3001\u3064\u307e\u308a\u8ab0\u304c\u305d\u306e object \u3084 page \u3092\u6240\u6709\u3057\u3066\u3044\u308b\u304b\u3067\u3042\u308b\u3002\\(W\\) \u306f writability\u3001\u3064\u307e\u308a\u66f8\u304d\u8fbc\u307f\u53ef\u80fd\u304b\u3069\u3046\u304b\u3067\u3042\u308b\u3002\\(S\\) \u306f sharing\u3001\u3064\u307e\u308a shared \u306a\u306e\u304b private \u306a\u306e\u304b\u3067\u3042\u308b\u3002\\(L\\) \u306f lifetime\u3001\u3064\u307e\u308a object \u304c\u3044\u3064\u307e\u3067\u6709\u52b9\u304b\u3067\u3042\u308b\u3002\\(T\\) \u306f direction\u3001\u3064\u307e\u308a\u5165\u529b\u306a\u306e\u304b\u51fa\u529b\u306a\u306e\u304b\u3067\u3042\u308b\u3002\\(A\\) \u306f authority\u3001\u3064\u307e\u308a\u3069\u306e\u6a29\u9650\u4e3b\u4f53\u306e\u64cd\u4f5c\u306a\u306e\u304b\u3067\u3042\u308b\u3002\\(C\\) \u306f execution context\u3001\u3064\u307e\u308a\u5f8c\u3067\u3069\u306e\u6a29\u9650\u6587\u8108\u3067\u8aad\u307e\u308c\u308b\u304b\u3067\u3042\u308b\u3002<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n
\u8a18\u53f7<\/th>\n\u610f\u5473<\/th>\nDirty Frag \/ Copy Fail \u3067\u306e\u4f8b<\/th>\n\u5931\u308f\u308c\u308b\u3068\u4f55\u304c\u8d77\u304d\u308b\u304b<\/th>\n<\/tr>\n<\/thead>\n
\\(P\\)<\/td>\nprovenance\u3001\u3064\u307e\u308a\u30c7\u30fc\u30bf\u306e\u7531\u6765\u3092\u8868\u3059\u3002<\/td>\nfile-backed page cache \u3067\u3042\u308b\u3002<\/td>\n\u901a\u5e38\u30d5\u30a1\u30a4\u30eb\u7531\u6765\u306e page \u304c\u3001\u5358\u306a\u308b\u4f5c\u696d buffer \u306e\u3088\u3046\u306b\u6271\u308f\u308c\u308b\u3002<\/td>\n<\/tr>\n
\\(O\\)<\/td>\nownership\u3001\u3064\u307e\u308a\u8ab0\u304c\u6240\u6709\u3057\u3066\u3044\u308b\u304b\u3092\u8868\u3059\u3002<\/td>\n\u547c\u3073\u51fa\u3057\u5143\u30e6\u30fc\u30b6\u30fc\u304c\u6240\u6709\u3057\u3066\u3044\u306a\u3044 page \u3092\u53c2\u7167\u3057\u3066\u3044\u308b\u3002<\/td>\n\u81ea\u5206\u306e\u3082\u306e\u3067\u306f\u306a\u3044 page \u3092\u66f8\u304d\u63db\u3048\u3089\u308c\u308b\u3088\u3046\u306b\u898b\u3048\u3066\u3057\u307e\u3046\u3002<\/td>\n<\/tr>\n
\\(W\\)<\/td>\nwritability\u3001\u3064\u307e\u308a\u66f8\u3044\u3066\u3088\u3044\u304b\u3092\u8868\u3059\u3002<\/td>\n\u8aad\u307f\u53d6\u308a\u5c02\u7528\u7531\u6765\u3067\u3042\u308a\u3001\u547c\u3073\u51fa\u3057\u5143\u306f\u66f8\u3051\u306a\u3044\u3002<\/td>\nread-only page \u304c destination \u3068\u3057\u3066\u6271\u308f\u308c\u308b\u3002<\/td>\n<\/tr>\n
\\(S\\)<\/td>\nsharing\u3001\u3064\u307e\u308a\u5171\u6709\u3055\u308c\u3066\u3044\u308b\u304b\u3092\u8868\u3059\u3002<\/td>\nshared page cache \u3067\u3042\u308b\u3002<\/td>\n\u4e00\u3064\u306e\u6c5a\u67d3\u304c\u5225\u6587\u8108\u3067\u8aad\u307e\u308c\u308b\u5185\u5bb9\u306b\u6ce2\u53ca\u3059\u308b\u3002<\/td>\n<\/tr>\n
\\(L\\)<\/td>\nlifetime\u3001\u3064\u307e\u308a\u6709\u52b9\u671f\u9593\u3092\u8868\u3059\u3002<\/td>\npage \u3084 object \u304c\u5f8c\u6bb5\u51e6\u7406\u4e2d\u3082\u6709\u52b9\u3067\u3042\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002<\/td>\n\u5225\u7cfb\u7d71\u3067\u306f use-after-free \u306a\u3069\u306b\u3064\u306a\u304c\u308b\u3002<\/td>\n<\/tr>\n
\\(T\\)<\/td>\ndirection\u3001\u3064\u307e\u308a\u5165\u529b\u304b\u51fa\u529b\u304b\u3092\u8868\u3059\u3002<\/td>\n\u5165\u529b\u3068\u3057\u3066\u6e21\u3055\u308c\u305f page \u3067\u3042\u308b\u3002<\/td>\n\u5165\u529b page \u304c in-place \u51e6\u7406\u3067\u51fa\u529b\u5148\u306b\u306a\u308b\u3002<\/td>\n<\/tr>\n
\\(A\\)<\/td>\nauthority\u3001\u3064\u307e\u308a\u64cd\u4f5c\u4e3b\u4f53\u306e\u6a29\u9650\u3092\u8868\u3059\u3002<\/td>\n\u4f4e\u6a29\u9650\u30e6\u30fc\u30b6\u30fc\u306e\u64cd\u4f5c\u3067\u3042\u308b\u3002<\/td>\n\u4f4e\u6a29\u9650\u64cd\u4f5c\u304c\u3001\u672c\u6765\u8a31\u3055\u308c\u306a\u3044\u66f8\u304d\u63db\u3048\u52b9\u679c\u3092\u6301\u3064\u3002<\/td>\n<\/tr>\n
\\(C\\)<\/td>\nexecution context\u3001\u3064\u307e\u308a\u5f8c\u3067\u8aad\u307e\u308c\u308b\u6a29\u9650\u6587\u8108\u3092\u8868\u3059\u3002<\/td>\nsetuid binary \u3084\u8a8d\u8a3c\u51e6\u7406\u3068\u3057\u3066 root \u6587\u8108\u3067\u8aad\u307e\u308c\u5f97\u308b\u3002<\/td>\n\u6c5a\u67d3\u3055\u308c\u305f byte \u5217\u304c root \u6a29\u9650\u3067\u610f\u5473\u3092\u6301\u3064\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u6b21\u306b\u3001\u30ab\u30fc\u30cd\u30eb\u5185\u90e8\u306e\u51e6\u7406\u3092\u5199\u50cf\u3068\u3057\u3066\u8868\u3059\u3002\u3042\u308b\u51e6\u7406 \\(f\\) \u304c\u3001\u51e6\u7406\u5bfe\u8c61 \\(X\\) \u3092\u53d7\u3051\u53d6\u308a\u3001\u5225\u306e\u51e6\u7406\u5bfe\u8c61 \\(X’\\) \u3092\u8fd4\u3059\u3068\u3059\u308b\u3002\u3053\u306e\u3068\u304d\u3001\\(X = (D, M)\\) \u3067\u3042\u308b\u304b\u3089\u3001\u51e6\u7406 \\(f\\) \u306f\u6b21\u306e\u3088\u3046\u306b\u66f8\u3051\u308b\u3002<\/p>\n

\n\\[
\nf(X) = f(D, M) = (D’, M’)
\n\\]\n<\/div>\n

\u3053\u306e\u5f0f\u306f\u3001\u51e6\u7406 \\(f\\) \u304c byte \u5217 \\(D\\) \u3092 \\(D’\\) \u306b\u5909\u3048\u308b\u3060\u3051\u3067\u306a\u304f\u3001\u610f\u5473 \\(M\\) \u3082 \\(M’\\) \u306b\u5909\u3048\u308b\u3053\u3068\u3092\u8868\u3057\u3066\u3044\u308b\u3002\u3053\u3053\u3067\u91cd\u8981\u306a\u306e\u306f\u3001\\(D\\) \u304c\u5909\u308f\u308b\u3053\u3068\u81ea\u4f53\u306f\u5fc5\u305a\u3057\u3082\u60aa\u3067\u306f\u306a\u3044\u3068\u3044\u3046\u70b9\u3067\u3042\u308b\u3002\u6697\u53f7\u5316\u3001\u5fa9\u53f7\u3001\u5727\u7e2e\u3001\u5c55\u958b\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u51e6\u7406\u3001checksum \u8a08\u7b97\u3001fragment handling \u3067\u306f\u3001\u30c7\u30fc\u30bf\u304c\u5909\u63db\u3055\u308c\u308b\u3053\u3068\u306f\u5f53\u7136\u3042\u308a\u5f97\u308b\u3002\u554f\u984c\u306f\u3001\\(D\\) \u306e\u5909\u63db\u306b\u4f34\u3063\u3066\u3001\u5b89\u5168\u4e0a\u5fc5\u8981\u306a \\(M\\) \u306e\u5236\u7d04\u304c\u5931\u308f\u308c\u308b\u3053\u3068\u3067\u3042\u308b\u3002<\/p>\n

\u5b89\u5168\u306a\u51e6\u7406\u3067\u3042\u308b\u305f\u3081\u306b\u306f\u3001\u5909\u63db\u5f8c\u306e\u610f\u5473 \\(M’\\) \u304c\u3001\u5c11\u306a\u304f\u3068\u3082\u5b89\u5168\u4e0a\u5fc5\u8981\u306a\u610f\u5473 \\(M_{\\text{required}}\\) \u3092\u6e80\u305f\u3057\u3066\u3044\u306a\u3051\u308c\u3070\u306a\u3089\u306a\u3044\u3002\u3053\u308c\u3092\u6b21\u306e\u3088\u3046\u306b\u66f8\u304f\u3002<\/p>\n

\n\\[
\nM’ \\succeq M_{\\text{required}}
\n\\]\n<\/div>\n

\u3053\u306e\u5f0f\u3067\u3001\\(\\succeq\\) \u306f\u5927\u5c0f\u95a2\u4fc2\u3067\u306f\u306a\u304f\u3001\u300c\u5fc5\u8981\u306a\u5b89\u5168\u5236\u7d04\u3092\u5931\u3063\u3066\u3044\u306a\u3044\u300d\u3068\u3044\u3046\u95a2\u4fc2\u3092\u8868\u3059\u3002\u3064\u307e\u308a\u3001\\(M’\\) \u304c \\(M_{\\text{required}}\\) \u4ee5\u4e0a\u306b\u5927\u304d\u3044\u3068\u3044\u3046\u610f\u5473\u3067\u306f\u306a\u3044\u3002\u5909\u63db\u5f8c\u306e\u610f\u5473 \\(M’\\) \u304c\u3001\u5b89\u5168\u6027\u306b\u5fc5\u8981\u306a\u6761\u4ef6\u3092\u4fdd\u6301\u3057\u3066\u3044\u308b\u3001\u3068\u3044\u3046\u610f\u5473\u3067\u3042\u308b\u3002\u305f\u3068\u3048\u3070\u3001\u5143\u306e page \u304c read-only file-backed shared page \u3067\u3042\u308a\u3001\u5165\u529b\u3068\u3057\u3066\u6e21\u3055\u308c\u305f\u306a\u3089\u3001\u5909\u63db\u5f8c\u3082\u300c\u66f8\u3044\u3066\u306f\u3044\u3051\u306a\u3044\u300d\u300c\u5171\u6709\u3055\u308c\u3066\u3044\u308b\u300d\u300c\u5165\u529b\u3067\u3042\u308b\u300d\u300c\u5fc5\u8981\u306a\u3089 private copy \u3092\u4f5c\u308b\u3079\u304d\u3067\u3042\u308b\u300d\u3068\u3044\u3046\u5236\u7d04\u304c\u4fdd\u6301\u3055\u308c\u3066\u3044\u306a\u3051\u308c\u3070\u306a\u3089\u306a\u3044\u3002<\/p>\n

Copy Fail \/ Dirty Frag \u578b\u3067\u5fc5\u8981\u306b\u306a\u308b\u4e0d\u5909\u6761\u4ef6\u306f\u3001\u6b21\u306e\u3088\u3046\u306b\u8868\u305b\u308b\u3002<\/p>\n

\n\\[
\nP = file\\text{-}backed \\land W = read\\text{-}only \\land S = shared \\Rightarrow no\\_inplace\\_write
\n\\]\n<\/div>\n

\u3053\u306e\u5f0f\u306f\u3001file-backed \u3067\u3001read-only \u3067\u3001shared \u3067\u3042\u308b page \u306b\u5bfe\u3057\u3066\u306f\u3001in-place write \u3092\u3057\u3066\u306f\u306a\u3089\u306a\u3044\u3001\u3068\u3044\u3046\u610f\u5473\u3067\u3042\u308b\u3002\u5de6\u8fba\u306e \\(P = file\\text{-}backed\\) \u306f\u3001\u305d\u306e page \u304c\u30d5\u30a1\u30a4\u30eb\u7531\u6765\u3067\u3042\u308b\u3053\u3068\u3092\u8868\u3059\u3002\\(W = read\\text{-}only\\) \u306f\u3001\u547c\u3073\u51fa\u3057\u5143\u304c\u66f8\u304d\u8fbc\u3093\u3067\u306f\u306a\u3089\u306a\u3044\u3053\u3068\u3092\u8868\u3059\u3002\\(S = shared\\) \u306f\u3001\u305d\u306e page \u304c\u4ed6\u306e\u6587\u8108\u3067\u3082\u8aad\u307e\u308c\u5f97\u308b\u5171\u6709 page \u3067\u3042\u308b\u3053\u3068\u3092\u8868\u3059\u3002\u3053\u306e 3 \u6761\u4ef6\u304c\u305d\u308d\u3046\u306a\u3089\u3001\u53f3\u8fba\u306e \\(no\\_inplace\\_write\\)\u3001\u3064\u307e\u308a\u305d\u306e page \u3092\u305d\u306e\u307e\u307e\u51fa\u529b\u5148\u3068\u3057\u3066\u66f8\u304d\u63db\u3048\u3066\u306f\u306a\u3089\u306a\u3044\u3001\u3068\u3044\u3046\u5236\u7d04\u304c\u5fc5\u8981\u306b\u306a\u308b\u3002<\/p>\n

Dirty Frag \u3068 Copy Fail \u3067\u8d77\u304d\u305f\u3053\u3068\u306f\u3001\u3053\u306e\u4e0d\u5909\u6761\u4ef6\u306e\u7834\u308c\u3068\u3057\u3066\u8868\u305b\u308b\u3002\u5371\u967a\u306a\u72b6\u614b\u306f\u6b21\u306e\u3088\u3046\u306b\u66f8\u3051\u308b\u3002<\/p>\n

\n\\[
\nP = file\\text{-}backed \\land W = read\\text{-}only \\land S = shared \\land T = output
\n\\]\n<\/div>\n

\u3053\u306e\u5f0f\u306f\u3001file-backed \u3067\u3001read-only \u3067\u3001shared \u3067\u3042\u308b page \u304c\u3001\u51fa\u529b\u5148 \\(T = output\\) \u3068\u3057\u3066\u6271\u308f\u308c\u3066\u3044\u308b\u72b6\u614b\u3092\u8868\u3059\u3002\u3053\u308c\u306f\u77db\u76fe\u3057\u305f\u72b6\u614b\u3067\u3042\u308b\u3002\u306a\u305c\u306a\u3089\u3001\u8aad\u307f\u53d6\u308a\u5c02\u7528\u7531\u6765\u3067\u5171\u6709\u3055\u308c\u3066\u3044\u308b page \u306f\u3001\u5165\u529b\u3068\u3057\u3066\u53c2\u7167\u3055\u308c\u308b\u3053\u3068\u306f\u3042\u3063\u3066\u3082\u3001\u4f4e\u6a29\u9650\u30e6\u30fc\u30b6\u30fc\u306e\u51e6\u7406\u306b\u3088\u3063\u3066\u51fa\u529b\u5148\u306b\u3055\u308c\u3066\u306f\u306a\u3089\u306a\u3044\u304b\u3089\u3067\u3042\u308b\u3002Copy Fail \u3067\u306f\u3001\u3053\u306e\u5371\u967a\u306a\u72b6\u614b\u304c algif_aead \u3068 scatterlist \u306e\u7d4c\u8def\u3067\u73fe\u308c\u305f\u3002Dirty Frag \u3067\u306f\u3001xfrm-ESP\u3001RxRPC\u3001skb frag \u306e\u7d4c\u8def\u3067\u73fe\u308c\u305f\u3002<\/p>\n

\u3053\u3053\u3067\u91cd\u8981\u306a\u306e\u306f\u3001\u6570\u5f0f\u304c\u4f55\u304b\u65b0\u3057\u3044\u8106\u5f31\u6027\u691c\u51fa\u5668\u3092\u4e0e\u3048\u3066\u3044\u308b\u308f\u3051\u3067\u306f\u306a\u3044\u3068\u3044\u3046\u70b9\u3067\u3042\u308b\u3002\u3053\u306e\u30e2\u30c7\u30eb\u306e\u5f79\u5272\u306f\u3001Copy Fail \u3068 Dirty Frag \u306e\u540c\u578b\u6027\u3092\u660e\u78ba\u306b\u3059\u308b\u3053\u3068\u3067\u3042\u308b\u3002\u500b\u5225\u306b\u306f\u3001Copy Fail \u306f crypto API \u306e\u554f\u984c\u306b\u898b\u3048\u308b\u3002Dirty Frag \u306f networking \/ fragment handling \u306e\u554f\u984c\u306b\u898b\u3048\u308b\u3002\u3057\u304b\u3057\u3001\u610f\u5473\u4fdd\u5b58\u30e2\u30c7\u30eb\u3067\u898b\u308b\u3068\u3001\u3069\u3061\u3089\u3082 \\(M\\) \u306e\u3046\u3061 provenance\u3001writability\u3001sharing\u3001direction \u304c\u4fdd\u5b58\u3055\u308c\u305a\u3001read-only shared file-backed page \u304c output \u5316\u3057\u305f\u4e8b\u4f8b\u3068\u3057\u3066\u8aad\u3081\u308b\u3002<\/p>\n

\u3057\u305f\u304c\u3063\u3066\u3001\u610f\u5473\u4fdd\u5b58\u30e2\u30c7\u30eb\u306e\u7d50\u8ad6\u306f\u660e\u78ba\u3067\u3042\u308b\u3002\u30ab\u30fc\u30cd\u30eb\u5185\u90e8\u306e\u51e6\u7406\u306f\u3001\\(D\\) \u3060\u3051\u3092\u6b63\u3057\u304f\u5909\u63db\u3059\u308c\u3070\u3088\u3044\u308f\u3051\u3067\u306f\u306a\u3044\u3002\\(D\\) \u306b\u4ed8\u968f\u3059\u308b \\(M\\) \u3092\u3001\u30b5\u30d6\u30b7\u30b9\u30c6\u30e0\u5883\u754c\u3092\u8d8a\u3048\u3066\u4fdd\u5b58\u3057\u306a\u3051\u308c\u3070\u306a\u3089\u306a\u3044\u3002byte \u5217\u306e\u51e6\u7406\u3068\u3057\u3066\u306f\u6b63\u5e38\u306b\u898b\u3048\u3066\u3082\u3001\u610f\u5473\u306e\u4fdd\u5b58\u306b\u5931\u6557\u3059\u308c\u3070\u3001\u8aad\u307f\u53d6\u308a\u6a29\u9650\u304c\u66f8\u304d\u63db\u3048\u80fd\u529b\u3078\u5909\u8cea\u3057\u3001\u5b9f\u884c\u6642\u610f\u5473\u306e\u6c5a\u67d3\u3092\u901a\u3058\u3066 LPE \u3078\u63a5\u7d9a\u3059\u308b\u3002<\/p>\n

\n

14. \u30e1\u30bf\u610f\u5473\u3092\u5206\u89e3\u3059\u308b<\/h2>\n

\u524d\u7ae0\u3067\u306f\u3001\u30ab\u30fc\u30cd\u30eb\u5185\u90e8\u3067\u6271\u308f\u308c\u308b\u5bfe\u8c61\u3092 \\(X=(D,M)\\) \u3068\u8868\u3057\u305f\u3002\u3053\u3053\u3067 \\(D\\) \u306f byte \u5217\u3067\u3042\u308a\u3001\\(M\\) \u306f\u305d\u306e byte \u5217\u306b\u4ed8\u968f\u3059\u308b\u5b89\u5168\u4e0a\u306e\u610f\u5473\u3067\u3042\u308b\u3002\u3057\u304b\u3057\u3001\\(M\\) \u3092\u5358\u306b\u300c\u610f\u5473\u300d\u3068\u547c\u3076\u3060\u3051\u3067\u306f\u3001\u3069\u3053\u3067\u4f55\u304c\u58ca\u308c\u305f\u306e\u304b\u3092\u5341\u5206\u306b\u8ffd\u8de1\u3067\u304d\u306a\u3044\u3002\u305d\u3053\u3067 \\(M\\) \u3092\u3001provenance\u3001ownership\u3001writability\u3001sharing\u3001lifetime\u3001direction\u3001authority\u3001execution context \u3068\u3044\u3046 8 \u3064\u306e\u6210\u5206\u3078\u5206\u89e3\u3059\u308b\u3002<\/p>\n

\n\\[
\nM = (P, O, W, S, L, T, A, C)
\n\\]\n<\/div>\n

\u3053\u306e\u5f0f\u306f\u3001\u610f\u5473 \\(M\\) \u304c\u4e00\u3064\u306e\u62bd\u8c61\u7684\u306a\u5c5e\u6027\u3067\u306f\u306a\u304f\u3001\u8907\u6570\u306e\u5b89\u5168\u5c5e\u6027\u306e\u675f\u3067\u3042\u308b\u3053\u3068\u3092\u8868\u3057\u3066\u3044\u308b\u3002\\(P\\) \u306f provenance\u3001\u3064\u307e\u308a\u30c7\u30fc\u30bf\u304c\u3069\u3053\u304b\u3089\u6765\u305f\u304b\u3067\u3042\u308b\u3002\\(O\\) \u306f ownership\u3001\u3064\u307e\u308a\u8ab0\u304c\u305d\u306e page \u3084 object \u3092\u6240\u6709\u3057\u3066\u3044\u308b\u304b\u3067\u3042\u308b\u3002\\(W\\) \u306f writability\u3001\u3064\u307e\u308a\u66f8\u304d\u8fbc\u307f\u53ef\u80fd\u304b\u3069\u3046\u304b\u3067\u3042\u308b\u3002\\(S\\) \u306f sharing\u3001\u3064\u307e\u308a shared \u306a\u306e\u304b private \u306a\u306e\u304b\u3067\u3042\u308b\u3002\\(L\\) \u306f lifetime\u3001\u3064\u307e\u308a\u3044\u3064\u307e\u3067\u6709\u52b9\u306a object \u306a\u306e\u304b\u3067\u3042\u308b\u3002\\(T\\) \u306f direction\u3001\u3064\u307e\u308a\u5165\u529b\u306a\u306e\u304b\u51fa\u529b\u306a\u306e\u304b\u3067\u3042\u308b\u3002\\(A\\) \u306f authority\u3001\u3064\u307e\u308a\u3069\u306e\u6a29\u9650\u4e3b\u4f53\u306e\u64cd\u4f5c\u306a\u306e\u304b\u3067\u3042\u308b\u3002\\(C\\) \u306f execution context\u3001\u3064\u307e\u308a\u5f8c\u3067\u3069\u306e\u6a29\u9650\u6587\u8108\u3067\u8aad\u307e\u308c\u308b\u304b\u3067\u3042\u308b\u3002<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n
\u8a18\u53f7<\/th>\n\u610f\u5473<\/th>\nDirty Frag \/ Copy Fail \u3067\u306e\u5177\u4f53\u4f8b<\/th>\n\u5931\u308f\u308c\u305f\u5834\u5408\u306e\u5371\u967a<\/th>\n<\/tr>\n<\/thead>\n
\\(P\\)<\/td>\nprovenance\u3001\u3064\u307e\u308a\u30c7\u30fc\u30bf\u306e\u7531\u6765\u3092\u8868\u3059\u3002<\/td>\nfile-backed page \u306a\u306e\u304b\u3001anonymous page \u306a\u306e\u304b\u3001kernel-private buffer \u306a\u306e\u304b\u3092\u533a\u5225\u3059\u308b\u3002<\/td>\n\u8aad\u307f\u53d6\u308a\u5c02\u7528\u30d5\u30a1\u30a4\u30eb\u7531\u6765\u306e page \u304c\u3001\u5358\u306a\u308b\u4e00\u6642 buffer \u306e\u3088\u3046\u306b\u6271\u308f\u308c\u308b\u3002<\/td>\n<\/tr>\n
\\(O\\)<\/td>\nownership\u3001\u3064\u307e\u308a\u8ab0\u304c\u305d\u306e page \u3084 object \u3092\u6240\u6709\u3057\u3066\u3044\u308b\u304b\u3092\u8868\u3059\u3002<\/td>\n\u547c\u3073\u51fa\u3057\u5143\u30e6\u30fc\u30b6\u30fc\u304c\u6240\u6709\u3057\u3066\u3044\u306a\u3044 page cache \u3092\u53c2\u7167\u3057\u3066\u3044\u308b\u3002<\/td>\n\u81ea\u5206\u306e\u3082\u306e\u3067\u306f\u306a\u3044 page \u306b\u5bfe\u3057\u3066\u3001\u66f8\u304d\u63db\u3048\u52b9\u679c\u3092\u53ca\u307c\u305b\u308b\u3088\u3046\u306b\u898b\u3048\u3066\u3057\u307e\u3046\u3002<\/td>\n<\/tr>\n
\\(W\\)<\/td>\nwritability\u3001\u3064\u307e\u308a\u66f8\u304d\u8fbc\u307f\u53ef\u80fd\u304b\u3069\u3046\u304b\u3092\u8868\u3059\u3002<\/td>\n\u8aad\u307f\u53d6\u308a\u5c02\u7528\u30d5\u30a1\u30a4\u30eb\u7531\u6765\u3067\u3042\u308a\u3001\u4f4e\u6a29\u9650\u30e6\u30fc\u30b6\u30fc\u306f\u66f8\u304d\u8fbc\u3081\u306a\u3044\u3002<\/td>\nread-only page \u304c writable destination \u3068\u3057\u3066\u6271\u308f\u308c\u3001\u8aad\u307f\u53d6\u308a\u6a29\u9650\u304c\u66f8\u304d\u63db\u3048\u80fd\u529b\u3078\u5909\u8cea\u3059\u308b\u3002<\/td>\n<\/tr>\n
\\(S\\)<\/td>\nsharing\u3001\u3064\u307e\u308a\u5171\u6709\u3055\u308c\u3066\u3044\u308b\u304b\u3069\u3046\u304b\u3092\u8868\u3059\u3002<\/td>\nshared page cache \u3068\u3057\u3066\u3001\u8907\u6570\u306e\u6587\u8108\u304b\u3089\u8aad\u307e\u308c\u5f97\u308b\u3002<\/td>\n\u4e00\u3064\u306e\u66f8\u304d\u63db\u3048\u304c\u3001\u5f8c\u7d9a\u306e\u5b9f\u884c\u3001\u8a8d\u8a3c\u3001\u30e9\u30a4\u30d6\u30e9\u30ea\u8aad\u307f\u8fbc\u307f\u306a\u3069\u3078\u6ce2\u53ca\u3059\u308b\u3002<\/td>\n<\/tr>\n
\\(L\\)<\/td>\nlifetime\u3001\u3064\u307e\u308a object \u3084 page \u304c\u3044\u3064\u307e\u3067\u6709\u52b9\u304b\u3092\u8868\u3059\u3002<\/td>\n\u51e6\u7406\u4e2d\u306b\u53c2\u7167\u3055\u308c\u308b page \u3084 buffer \u304c\u3001\u5f8c\u6bb5\u51e6\u7406\u307e\u3067\u6709\u52b9\u3067\u3042\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002<\/td>\n\u5bff\u547d\u7ba1\u7406\u304c\u58ca\u308c\u308b\u3068 use-after-free \u3084 stale reference \u306b\u3064\u306a\u304c\u308b\u3002<\/td>\n<\/tr>\n
\\(T\\)<\/td>\ndirection\u3001\u3064\u307e\u308a\u5165\u529b\u306a\u306e\u304b\u51fa\u529b\u306a\u306e\u304b\u3092\u8868\u3059\u3002<\/td>\n\u8aad\u307f\u53d6\u308a\u5c02\u7528 file-backed page \u306f\u3001\u672c\u6765 input \u3068\u3057\u3066\u6271\u308f\u308c\u308b\u3002<\/td>\ninput page \u304c output \u307e\u305f\u306f work area \u3068\u3057\u3066\u6271\u308f\u308c\u3001in-place write \u306e\u5bfe\u8c61\u306b\u306a\u308b\u3002<\/td>\n<\/tr>\n
\\(A\\)<\/td>\nauthority\u3001\u3064\u307e\u308a\u3069\u306e\u6a29\u9650\u4e3b\u4f53\u306e\u64cd\u4f5c\u306a\u306e\u304b\u3092\u8868\u3059\u3002<\/td>\n\u4f4e\u6a29\u9650\u30e6\u30fc\u30b6\u30fc\u304c\u8aad\u307f\u53d6\u308a\u53ef\u80fd\u306a\u30d5\u30a1\u30a4\u30eb\u3092\u51e6\u7406\u3057\u3066\u3044\u308b\u3002<\/td>\n\u4f4e\u6a29\u9650\u64cd\u4f5c\u304c\u3001\u672c\u6765\u8a31\u3055\u308c\u306a\u3044\u9ad8\u6a29\u9650\u6587\u8108\u3078\u306e\u66f8\u304d\u63db\u3048\u52b9\u679c\u3092\u6301\u3064\u3002<\/td>\n<\/tr>\n
\\(C\\)<\/td>\nexecution context\u3001\u3064\u307e\u308a\u5f8c\u3067\u3069\u306e\u6a29\u9650\u6587\u8108\u3067\u8aad\u307e\u308c\u308b\u304b\u3092\u8868\u3059\u3002<\/td>\nsetuid binary\u3001PAM\u3001\u5171\u6709\u30e9\u30a4\u30d6\u30e9\u30ea\u3001dynamic loader \u306a\u3069\u3068\u3057\u3066 root \u6587\u8108\u3067\u8aad\u307e\u308c\u5f97\u308b\u3002<\/td>\n\u6c5a\u67d3\u3055\u308c\u305f page \u304c root \u6587\u8108\u3067\u610f\u5473\u3092\u6301\u3061\u3001LPE \u3078\u63a5\u7d9a\u3059\u308b\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u3053\u306e\u5206\u89e3\u306f\u3001\u62bd\u8c61\u7684\u306a\u8a00\u8449\u904a\u3073\u3067\u306f\u306a\u3044\u3002Dirty Frag \u3067\u306f\u3001\u5c11\u306a\u304f\u3068\u3082 \\(P\\)\u3001\\(W\\)\u3001\\(S\\)\u3001\\(T\\)\u3001\\(C\\) \u304c\u76f4\u63a5\u554f\u984c\u306b\u306a\u3063\u305f\u3002\u8aad\u307f\u53d6\u308a\u5c02\u7528\u30d5\u30a1\u30a4\u30eb\u7531\u6765\u306e page \u3067\u3042\u308b\u3053\u3068\u3001shared page cache \u3067\u3042\u308b\u3053\u3068\u3001\u5165\u529b page \u3067\u3042\u308b\u3053\u3068\u3001\u5f8c\u3067 root \u6587\u8108\u3067\u8aad\u307e\u308c\u5f97\u308b\u3053\u3068\u304c\u3001\u5f8c\u6bb5\u306e\u51e6\u7406\u3067\u5341\u5206\u306b\u4fdd\u5b58\u3055\u308c\u306a\u304b\u3063\u305f\u3002Copy Fail \u3067\u3082\u540c\u3058\u65b9\u5411\u306e\u610f\u5473\u55aa\u5931\u304c\u8d77\u304d\u305f\u3002\u5165\u53e3\u306f algif_aead \u3068 scatterlist \u3060\u3063\u305f\u304c\u3001\u58ca\u308c\u305f\u610f\u5473\u306f\u540c\u3058\u3067\u3042\u308b\u3002<\/p>\n

\u3053\u306e\u30e2\u30c7\u30eb\u3092\u4f7f\u3046\u3068\u3001Copy Fail \u3068 Dirty Frag \u306f\u3001\u540c\u3058\u4e0d\u5909\u6761\u4ef6\u9055\u53cd\u3068\u3057\u3066\u8aad\u3081\u308b\u3002\u91cd\u8981\u306a\u306e\u306f\u3001\\(M\\) \u306e\u3059\u3079\u3066\u306e\u6210\u5206\u304c\u5e38\u306b\u540c\u3058\u91cd\u307f\u3092\u6301\u3064\u308f\u3051\u3067\u306f\u306a\u3044\u3068\u3044\u3046\u70b9\u3067\u3042\u308b\u3002page cache write \u578b\u3067\u306f\u3001\u7279\u306b provenance\u3001writability\u3001sharing\u3001direction\u3001execution context \u304c\u91cd\u8981\u306b\u306a\u308b\u3002\u4e00\u65b9\u3001use-after-free \u3067\u306f lifetime\u3001type confusion \u3067\u306f object type\u3001capability bypass \u3067\u306f authority \u304c\u4e2d\u5fc3\u306b\u306a\u308b\u3002\u3064\u307e\u308a\u3001LPE \u306e\u7cfb\u7d71\u3054\u3068\u306b\u58ca\u308c\u308b\u610f\u5473\u306f\u9055\u3046\u304c\u3001\u610f\u5473\u304c\u4fdd\u5b58\u3055\u308c\u306a\u3044\u3053\u3068\u3067\u5b89\u5168\u5883\u754c\u304c\u7834\u308c\u308b\u3068\u3044\u3046\u69cb\u9020\u306f\u5171\u901a\u3057\u3066\u3044\u308b\u3002<\/p>\n

\n

15. \u610f\u5473\u4fdd\u5b58\u3092\u4e0d\u5909\u6761\u4ef6\u3068\u3057\u3066\u8868\u3059<\/h2>\n

\u6b21\u306b\u3001\u30ab\u30fc\u30cd\u30eb\u5185\u90e8\u306e\u51e6\u7406\u3092\u72b6\u614b\u9077\u79fb\u3068\u3057\u3066\u8868\u3059\u3002\u3042\u308b\u30b5\u30d6\u30b7\u30b9\u30c6\u30e0\u306e\u51e6\u7406\u3092\u5199\u50cf \\(f_i\\) \u3068\u7f6e\u304f\u3002\u3053\u3053\u3067 \\(i\\) \u306f\u3001\u51e6\u7406\u7d4c\u8def\u306e\u4f55\u756a\u76ee\u306e\u6bb5\u968e\u304b\u3092\u8868\u3059\u6dfb\u5b57\u3067\u3042\u308b\u3002\u305f\u3068\u3048\u3070\u3001\u8aad\u307f\u53d6\u308a\u3001pipe \u3078\u306e\u79fb\u52d5\u3001scatterlist \u5316\u3001skb frag \u5316\u3001\u6697\u53f7\u51e6\u7406\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u51e6\u7406\u3001\u5b9f\u884c\u6642\u8aad\u307f\u8fbc\u307f\u306a\u3069\u3092\u3001\u305d\u308c\u305e\u308c\u5225\u306e \\(f_i\\) \u3068\u3057\u3066\u8003\u3048\u308b\u3053\u3068\u304c\u3067\u304d\u308b\u3002<\/p>\n

\n\\[
\nf_i(D, M) = (D’, M’)
\n\\]\n<\/div>\n

\u3053\u306e\u5f0f\u306f\u3001\u51e6\u7406 \\(f_i\\) \u304c byte \u5217 \\(D\\) \u3068\u610f\u5473 \\(M\\) \u3092\u53d7\u3051\u53d6\u308a\u3001\u5909\u63db\u5f8c\u306e byte \u5217 \\(D’\\) \u3068\u5909\u63db\u5f8c\u306e\u610f\u5473 \\(M’\\) \u3092\u8fd4\u3059\u3053\u3068\u3092\u8868\u3059\u3002\u3053\u3053\u3067\u91cd\u8981\u306a\u306e\u306f\u3001\u30ab\u30fc\u30cd\u30eb\u51e6\u7406\u306f \\(D\\) \u3060\u3051\u3092\u5909\u63db\u3057\u3066\u3044\u308b\u308f\u3051\u3067\u306f\u306a\u3044\u3001\u3068\u3044\u3046\u70b9\u3067\u3042\u308b\u3002\u6697\u53f7\u51e6\u7406\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u51e6\u7406\u3001I\/O \u51e6\u7406\u3001fragment handling \u3067\u306f\u3001byte \u5217\u306e\u898b\u3048\u65b9\u3060\u3051\u3067\u306a\u304f\u3001\u305d\u306e byte \u5217\u304c\u3069\u306e\u6587\u8108\u3067\u6271\u308f\u308c\u308b\u304b\u3082\u5909\u308f\u308b\u3002\u3057\u305f\u304c\u3063\u3066\u3001\u5b89\u5168\u6027\u3092\u8003\u3048\u308b\u306b\u306f\u3001\\(D \\to D’\\) \u3060\u3051\u3067\u306a\u304f\u3001\\(M \\to M’\\) \u3082\u8ffd\u8de1\u3059\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002<\/p>\n

\u5b89\u5168\u306a\u51e6\u7406\u3067\u306f\u3001\\(D\\) \u304c\u5909\u63db\u3055\u308c\u3066\u3082\u3001\u5b89\u5168\u4e0a\u5fc5\u8981\u306a \\(M\\) \u306f\u4fdd\u5b58\u3055\u308c\u306a\u3051\u308c\u3070\u306a\u3089\u306a\u3044\u3002\u3053\u306e\u6761\u4ef6\u3092\u3001\u6b21\u306e\u3088\u3046\u306b\u8868\u3059\u3002<\/p>\n

\n\\[
\nM’ \\succeq M_{\\text{required}}
\n\\]\n<\/div>\n

\u3053\u306e\u5f0f\u3067\u3001\\(M_{\\text{required}}\\) \u306f\u5f8c\u7d9a\u51e6\u7406\u306b\u5fc5\u8981\u306a\u5b89\u5168\u5236\u7d04\u306e\u96c6\u5408\u3067\u3042\u308b\u3002\u305f\u3068\u3048\u3070\u3001file-backed\u3001read-only\u3001shared\u3001input\u3001unprivileged\u3001root-reachable \u3068\u3044\u3046\u5236\u7d04\u304c\u5fc5\u8981\u306a\u3089\u3001\u305d\u308c\u3089\u304c \\(M_{\\text{required}}\\) \u306b\u542b\u307e\u308c\u308b\u3002\\(M’\\) \u306f\u5909\u63db\u5f8c\u306b\u6b8b\u3063\u3066\u3044\u308b\u610f\u5473\u3067\u3042\u308b\u3002\u305d\u3057\u3066 \\(\\succeq\\) \u306f\u3001\u300c\\(M’\\) \u304c \\(M_{\\text{required}}\\) \u3092\u6e80\u305f\u3057\u3066\u3044\u308b\u300d\u3053\u3068\u3092\u8868\u3059\u95a2\u4fc2\u3067\u3042\u308b\u3002\u3053\u308c\u306f\u901a\u5e38\u306e\u6570\u5024\u6bd4\u8f03\u3067\u306f\u306a\u3044\u3002\u610f\u5473\u306e\u5305\u542b\u3001\u5236\u7d04\u306e\u4fdd\u5b58\u3001\u5f8c\u7d9a\u51e6\u7406\u306b\u5fc5\u8981\u306a\u5b89\u5168\u6761\u4ef6\u306e\u7dad\u6301\u3092\u8868\u3059\u8a18\u53f7\u3068\u3057\u3066\u4f7f\u3063\u3066\u3044\u308b\u3002<\/p>\n\n\n\n\n\n\n\n\n\n\n\n
\u5f0f\u306e\u8981\u7d20<\/th>\n\u610f\u5473<\/th>\nDirty Frag \/ Copy Fail \u3067\u306e\u8aad\u307f\u65b9<\/th>\n<\/tr>\n<\/thead>\n
\\(f_i\\)<\/td>\n\u30ab\u30fc\u30cd\u30eb\u5185\u90e8\u306e\u5404\u51e6\u7406\u6bb5\u968e\u3092\u8868\u3059\u3002<\/td>\nsplice\u3001scatterlist \u5316\u3001skb frag \u5316\u3001ESP \u51e6\u7406\u3001RxRPC \u51e6\u7406\u3001AEAD \u51e6\u7406\u306a\u3069\u306b\u5bfe\u5fdc\u3059\u308b\u3002<\/td>\n<\/tr>\n
\\(D\\)<\/td>\n\u51e6\u7406\u524d\u306e byte \u5217\u3092\u8868\u3059\u3002<\/td>\n\u8aad\u307f\u53d6\u308a\u5bfe\u8c61\u30d5\u30a1\u30a4\u30eb\u7531\u6765\u306e page cache \u306b\u8f09\u3063\u3066\u3044\u308b\u5185\u5bb9\u3092\u8868\u3059\u3002<\/td>\n<\/tr>\n
\\(M\\)<\/td>\n\u51e6\u7406\u524d\u306e\u5b89\u5168\u4e0a\u306e\u610f\u5473\u3092\u8868\u3059\u3002<\/td>\nfile-backed\u3001read-only\u3001shared\u3001input\u3001unprivileged\u3001root-reachable \u306a\u3069\u3092\u542b\u3080\u3002<\/td>\n<\/tr>\n
\\(D’\\)<\/td>\n\u51e6\u7406\u5f8c\u306e byte \u5217\u3092\u8868\u3059\u3002<\/td>\n\u6697\u53f7\u51e6\u7406\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u51e6\u7406\u3001in-place \u51e6\u7406\u306a\u3069\u306e\u5f8c\u306b\u898b\u3048\u308b\u5185\u5bb9\u3092\u8868\u3059\u3002<\/td>\n<\/tr>\n
\\(M’\\)<\/td>\n\u51e6\u7406\u5f8c\u306b\u4fdd\u5b58\u3055\u308c\u3066\u3044\u308b\u5b89\u5168\u4e0a\u306e\u610f\u5473\u3092\u8868\u3059\u3002<\/td>\n\u5f8c\u6bb5\u51e6\u7406\u304c\u3001\u305d\u306e page \u3092 read-only shared input \u3068\u3057\u3066\u8a8d\u8b58\u3067\u304d\u3066\u3044\u308b\u304b\u3092\u8868\u3059\u3002<\/td>\n<\/tr>\n
\\(M_{\\text{required}}\\)<\/td>\n\u5b89\u5168\u306e\u305f\u3081\u306b\u5f8c\u7d9a\u51e6\u7406\u3078\u5f15\u304d\u7d99\u304c\u308c\u308b\u3079\u304d\u610f\u5473\u3092\u8868\u3059\u3002<\/td>\nread-only page \u3092 output \u306b\u3057\u306a\u3044\u3001shared page \u306a\u3089 private copy \u3092\u4f5c\u308b\u3001\u3068\u3044\u3063\u305f\u5236\u7d04\u3092\u542b\u3080\u3002<\/td>\n<\/tr>\n
\\(\\succeq\\)<\/td>\n\u5fc5\u8981\u306a\u5b89\u5168\u5236\u7d04\u3092\u5931\u3063\u3066\u3044\u306a\u3044\u3053\u3068\u3092\u8868\u3059\u3002<\/td>\n\\(M’\\) \u304c \\(M_{\\text{required}}\\) \u3092\u6e80\u305f\u3057\u3066\u3044\u308c\u3070\u5b89\u5168\u5074\u3067\u3042\u308a\u3001\u6e80\u305f\u3057\u3066\u3044\u306a\u3051\u308c\u3070\u610f\u5473\u4fdd\u5b58\u306b\u5931\u6557\u3057\u3066\u3044\u308b\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Copy Fail \/ Dirty Frag \u578b\u306e\u554f\u984c\u306f\u3001\u3053\u306e\u95a2\u4fc2\u304c\u58ca\u308c\u308b\u3053\u3068\u3067\u3042\u308b\u3002byte \u5217\u51e6\u7406\u3068\u3057\u3066\u306f\u5408\u6cd5\u306b\u898b\u3048\u3066\u3082\u3001\u8aad\u307f\u53d6\u308a\u5c02\u7528\u3001shared\u3001input\u3001unprivileged\u3001root-reachable \u3068\u3044\u3046\u610f\u5473\u304c\u4fdd\u5b58\u3055\u308c\u306a\u3051\u308c\u3070\u3001\u5b89\u5168\u6027\u306f\u58ca\u308c\u308b\u3002\u305f\u3068\u3048\u3070\u3001\u3042\u308b\u51e6\u7406\u304c page \u306e\u5185\u5bb9\u3092\u5fa9\u53f7\u3059\u308b\u3053\u3068\u81ea\u4f53\u306f\u6b63\u5e38\u306a\u51e6\u7406\u3067\u3042\u308b\u3002\u3057\u304b\u3057\u3001\u305d\u306e page \u304c read-only file-backed shared page \u3067\u3042\u308b\u306b\u3082\u304b\u304b\u308f\u3089\u305a\u3001\u51fa\u529b\u5148\u3068\u3057\u3066 in-place \u306b\u66f8\u304d\u63db\u3048\u3089\u308c\u308b\u306a\u3089\u3001\\(M’ \\succeq M_{\\text{required}}\\) \u306f\u6210\u308a\u7acb\u305f\u306a\u3044\u3002<\/p>\n

\u3057\u305f\u304c\u3063\u3066\u3001\u610f\u5473\u4fdd\u5b58\u306e\u4e0d\u5909\u6761\u4ef6\u306f\u3001\u51e6\u7406\u7d50\u679c\u306e byte \u5217\u3060\u3051\u3067\u306f\u306a\u304f\u3001\u51e6\u7406\u5f8c\u306b\u6b8b\u308b\u610f\u5473\u3092\u5bfe\u8c61\u306b\u3059\u308b\u3002Dirty Frag \u3068 Copy Fail \u306e\u672c\u8cea\u306f\u3001\\(D’\\) \u304c\u4f55\u3067\u3042\u308b\u304b\u3060\u3051\u3067\u306f\u306a\u304f\u3001\\(M’\\) \u304b\u3089\u5fc5\u8981\u306a\u5236\u7d04\u304c\u843d\u3061\u3066\u3044\u305f\u3053\u3068\u306b\u3042\u308b\u3002\u30ab\u30fc\u30cd\u30eb\u5185\u90e8\u306e\u9ad8\u901f\u5316\u306f\u3001\\(D\\) \u306e copy \u3092\u6e1b\u3089\u3059\u65b9\u5411\u306b\u9032\u307f\u3084\u3059\u3044\u3002\u3057\u304b\u3057\u3001\\(D\\) \u306e copy \u3092\u907f\u3051\u308b\u306a\u3089\u3001\u4ee3\u308f\u308a\u306b \\(M\\) \u3092\u3088\u308a\u53b3\u5bc6\u306b\u904b\u3070\u306a\u3051\u308c\u3070\u306a\u3089\u306a\u3044\u3002<\/p>\n

\n

16. Copy Fail \u3068 Dirty Frag \u3092\u540c\u3058\u5f0f\u3067\u8aad\u3080<\/h2>\n

Copy Fail \/ Dirty Frag \u578b\u306e\u521d\u671f\u72b6\u614b\u306f\u3001\u8aad\u307f\u53d6\u308a\u5c02\u7528\u306e file-backed shared page \u304c\u4f4e\u6a29\u9650\u4e3b\u4f53\u306b\u3088\u3063\u3066\u5165\u529b\u3068\u3057\u3066\u6271\u308f\u308c\u3001\u5f8c\u3067 root \u6587\u8108\u3067\u8aad\u307e\u308c\u5f97\u308b\u72b6\u614b\u3067\u3042\u308b\u3002\u3053\u306e\u521d\u671f\u72b6\u614b\u3092\u3001\u524d\u7ae0\u306e\u8a18\u53f7\u3067\u8868\u3059\u3002\u3053\u3053\u3067\u306f\u3001\\(P = file\\text{-}backed\\)\u3001\\(W = read\\text{-}only\\)\u3001\\(S = shared\\)\u3001\\(T = input\\)\u3001\\(A = unprivileged\\)\u3001\\(C = root\\text{-}reachable\\) \u3068\u7f6e\u304f\u3002<\/p>\n

\n\\[
\nM_0 = (P=file\\text{-}backed,\\; W=read\\text{-}only,\\; S=shared,\\; T=input,\\; A=unprivileged,\\; C=root\\text{-}reachable)
\n\\]\n<\/div>\n

\u3053\u306e\u5f0f\u306f\u3001\u521d\u671f\u72b6\u614b \\(M_0\\) \u3092\u5177\u4f53\u7684\u306b\u66f8\u3044\u305f\u3082\u306e\u3067\u3042\u308b\u3002\\(P=file\\text{-}backed\\) \u306f\u3001\u5bfe\u8c61\u304c\u901a\u5e38\u30d5\u30a1\u30a4\u30eb\u7531\u6765\u306e page cache \u3067\u3042\u308b\u3053\u3068\u3092\u8868\u3059\u3002\\(W=read\\text{-}only\\) \u306f\u3001\u547c\u3073\u51fa\u3057\u5143\u304c\u305d\u306e page \u3092\u66f8\u304d\u63db\u3048\u308b\u6a29\u9650\u3092\u6301\u305f\u306a\u3044\u3053\u3068\u3092\u8868\u3059\u3002\\(S=shared\\) \u306f\u3001\u305d\u306e page \u304c\u5171\u6709\u3055\u308c\u3001\u5225\u306e\u6587\u8108\u3067\u8aad\u307e\u308c\u5f97\u308b\u3053\u3068\u3092\u8868\u3059\u3002\\(T=input\\) \u306f\u3001\u305d\u306e page \u304c\u5165\u529b\u3068\u3057\u3066\u6e21\u3055\u308c\u305f\u3053\u3068\u3092\u8868\u3059\u3002\\(A=unprivileged\\) \u306f\u3001\u64cd\u4f5c\u4e3b\u4f53\u304c\u4f4e\u6a29\u9650\u30e6\u30fc\u30b6\u30fc\u3067\u3042\u308b\u3053\u3068\u3092\u8868\u3059\u3002\\(C=root\\text{-}reachable\\) \u306f\u3001\u305d\u306e page \u304c\u5f8c\u3067 root \u6587\u8108\u3067\u8aad\u307e\u308c\u5f97\u308b\u3053\u3068\u3092\u8868\u3059\u3002<\/p>\n

\u3053\u306e\u72b6\u614b\u3067\u5b88\u308b\u3079\u304d\u4e0d\u5909\u6761\u4ef6\u306f\u3001\u6b21\u306e\u3088\u3046\u306b\u8868\u305b\u308b\u3002<\/p>\n

\n\\[
\nP = file\\text{-}backed \\land W = read\\text{-}only \\land S = shared \\Rightarrow no\\_inplace\\_write
\n\\]\n<\/div>\n

\u3053\u306e\u5f0f\u306f\u3001file-backed \u3067\u3001read-only \u3067\u3001shared \u3067\u3042\u308b page \u306b\u5bfe\u3057\u3066\u306f\u3001in-place write \u3092\u3057\u3066\u306f\u306a\u3089\u306a\u3044\u3001\u3068\u3044\u3046\u6761\u4ef6\u3092\u8868\u3059\u3002\u5de6\u8fba\u306f\u3001\u5371\u967a\u306a page \u306e\u6027\u8cea\u3092\u8868\u3057\u3066\u3044\u308b\u3002\\(P = file\\text{-}backed\\) \u306b\u3088\u3063\u3066\u3001\u305d\u306e page \u306f\u30d5\u30a1\u30a4\u30eb\u5185\u5bb9\u3068\u5bfe\u5fdc\u3057\u3066\u3044\u308b\u3002\\(W = read\\text{-}only\\) \u306b\u3088\u3063\u3066\u3001\u547c\u3073\u51fa\u3057\u5143\u306f\u305d\u306e page \u3092\u66f8\u3044\u3066\u306f\u306a\u3089\u306a\u3044\u3002\\(S = shared\\) \u306b\u3088\u3063\u3066\u3001\u305d\u306e page \u306f\u5225\u6587\u8108\u3067\u518d\u5229\u7528\u3055\u308c\u5f97\u308b\u3002\u3053\u306e 3 \u3064\u304c\u305d\u308d\u3046\u306a\u3089\u3001\u53f3\u8fba\u306e \\(no\\_inplace\\_write\\)\u3001\u3059\u306a\u308f\u3061 in-place \u306b\u66f8\u304d\u63db\u3048\u3066\u306f\u306a\u3089\u306a\u3044\u3068\u3044\u3046\u5236\u7d04\u304c\u5fc5\u8981\u306b\u306a\u308b\u3002<\/p>\n

\u9006\u306b\u3001\u5371\u967a\u306a\u72b6\u614b\u306f\u6b21\u306e\u3088\u3046\u306b\u8868\u305b\u308b\u3002<\/p>\n

\n\\[
\nP = file\\text{-}backed \\land W = read\\text{-}only \\land S = shared \\land T = output
\n\\]\n<\/div>\n

\u3053\u306e\u5f0f\u306f\u3001file-backed\u3001read-only\u3001shared \u3067\u3042\u308b page \u304c\u3001\u51fa\u529b\u5148 \\(T = output\\) \u3068\u3057\u3066\u6271\u308f\u308c\u3066\u3044\u308b\u72b6\u614b\u3092\u8868\u3059\u3002\u3053\u308c\u306f\u5b89\u5168\u4e0a\u306e\u77db\u76fe\u3067\u3042\u308b\u3002\u8aad\u307f\u53d6\u308a\u5c02\u7528\u3067\u5171\u6709\u3055\u308c\u3066\u3044\u308b file-backed page \u306f\u3001\u4f4e\u6a29\u9650\u30e6\u30fc\u30b6\u30fc\u306e\u51e6\u7406\u3067\u306f\u5165\u529b\u3068\u3057\u3066\u53c2\u7167\u3055\u308c\u308b\u3053\u3068\u306f\u3042\u3063\u3066\u3082\u3001\u51fa\u529b\u5148\u306b\u306a\u3063\u3066\u306f\u306a\u3089\u306a\u3044\u3002\u3057\u305f\u304c\u3063\u3066\u3001\u3053\u306e\u5f0f\u304c\u6210\u7acb\u3059\u308b\u7d4c\u8def\u306f\u3001\u8aad\u307f\u53d6\u308a\u6a29\u9650\u3092\u5b9f\u8cea\u7684\u306a\u66f8\u304d\u63db\u3048\u80fd\u529b\u3078\u5909\u8cea\u3055\u305b\u308b\u3002<\/p>\n\n\n\n\n\n\n\n
\u5f0f<\/th>\n\u610f\u5473<\/th>\nCopy Fail \u3067\u306e\u73fe\u308c\u65b9<\/th>\nDirty Frag \u3067\u306e\u73fe\u308c\u65b9<\/th>\n<\/tr>\n<\/thead>\n
\\(M_0 = (P=file\\text{-}backed,\\; W=read\\text{-}only,\\; S=shared,\\; T=input,\\; A=unprivileged,\\; C=root\\text{-}reachable)\\)<\/td>\n\u4f4e\u6a29\u9650\u30e6\u30fc\u30b6\u30fc\u304c\u3001\u5f8c\u3067 root \u6587\u8108\u3067\u8aad\u307e\u308c\u5f97\u308b\u8aad\u307f\u53d6\u308a\u5c02\u7528 file-backed shared page \u3092\u5165\u529b\u3068\u3057\u3066\u6271\u3063\u3066\u3044\u308b\u3002<\/td>\n\u8aad\u307f\u53d6\u308a\u53ef\u80fd\u306a setuid binary \u306a\u3069\u306e page cache \u304c\u3001\u6697\u53f7\u51e6\u7406\u7d4c\u8def\u306b\u6e21\u3055\u308c\u308b\u3002<\/td>\npipe \u3084 skb frag \u3092\u7d4c\u7531\u3057\u3066\u3001\u8aad\u307f\u53d6\u308a\u5c02\u7528\u7531\u6765\u306e page \u304c\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u51e6\u7406\u7d4c\u8def\u306b\u6e21\u3055\u308c\u308b\u3002<\/td>\n<\/tr>\n
\\(P = file\\text{-}backed \\land W = read\\text{-}only \\land S = shared \\Rightarrow no\\_inplace\\_write\\)<\/td>\n\u8aad\u307f\u53d6\u308a\u5c02\u7528 file-backed shared page \u306f in-place write \u3057\u3066\u306f\u306a\u3089\u306a\u3044\u3002<\/td>\nscatterlist \u7d4c\u7531\u3067 writable destination \u306b\u5165\u308c\u3066\u306f\u306a\u3089\u306a\u3044\u3002<\/td>\nshared skb frag \u306b\u5bfe\u3057\u3066 private copy \u306a\u3057\u3067 in-place \u51e6\u7406\u3057\u3066\u306f\u306a\u3089\u306a\u3044\u3002<\/td>\n<\/tr>\n
\\(P = file\\text{-}backed \\land W = read\\text{-}only \\land S = shared \\land T = output\\)<\/td>\n\u8aad\u307f\u53d6\u308a\u5c02\u7528 file-backed shared page \u304c\u51fa\u529b\u5148\u3068\u3057\u3066\u6271\u308f\u308c\u3066\u3044\u308b\u5371\u967a\u72b6\u614b\u3067\u3042\u308b\u3002<\/td>\nalgif_aead \u3068 scatterlist \u306e\u7d4c\u8def\u3067\u3053\u306e\u72b6\u614b\u304c\u6210\u7acb\u3057\u5f97\u308b\u3002<\/td>\nxfrm-ESP\u3001RxRPC\u3001skb frag \u306e\u7d4c\u8def\u3067\u3053\u306e\u72b6\u614b\u304c\u6210\u7acb\u3057\u5f97\u308b\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u3053\u306e\u5f0f\u306f\u3001Copy Fail \u3068 Dirty Frag \u306e\u540c\u578b\u6027\u3092\u8868\u3057\u3066\u3044\u308b\u3002Copy Fail \u3067\u306f\u3001scatterlist \u7d4c\u7531\u3067\u5165\u529b page \u304c writable destination \u3068\u3057\u3066\u6271\u308f\u308c\u308b\u3053\u3068\u3067\u3001\u3053\u306e\u6761\u4ef6\u304c\u7834\u308c\u305f\u3002Dirty Frag \u3067\u306f\u3001skb frag\u3001ESP\u3001RxRPC \u306e\u7d4c\u8def\u3067\u3001shared page \u306b\u5bfe\u3059\u308b private copy \u304c\u5341\u5206\u306b\u884c\u308f\u308c\u305a\u3001in-place \u51e6\u7406\u306b\u9032\u3080\u3053\u3068\u3067\u3001\u3053\u306e\u6761\u4ef6\u304c\u7834\u308c\u305f\u3002\u5165\u53e3\u306f\u9055\u3046\u3002\u3057\u304b\u3057\u3001read-only file-backed shared page \u304c output \u5316\u3059\u308b\u3068\u3044\u3046\u69cb\u9020\u306f\u540c\u3058\u3067\u3042\u308b\u3002<\/p>\n

\u3053\u3053\u3067\u6ce8\u610f\u3059\u3079\u304d\u306a\u306e\u306f\u3001\u3053\u306e\u6570\u5f0f\u304c Dirty Frag \u3084 Copy Fail \u306e exploit \u624b\u9806\u3092\u8a18\u8ff0\u3057\u3066\u3044\u308b\u308f\u3051\u3067\u306f\u306a\u3044\u3068\u3044\u3046\u70b9\u3067\u3042\u308b\u3002\u3053\u306e\u6570\u5f0f\u306f\u3001\u500b\u5225 exploit \u306e\u8a73\u7d30\u3067\u306f\u306a\u304f\u3001\u4e21\u8005\u306b\u5171\u901a\u3059\u308b\u5b89\u5168\u6761\u4ef6\u306e\u7834\u308c\u3092\u8868\u3057\u3066\u3044\u308b\u3002\u3057\u305f\u304c\u3063\u3066\u3001\u6570\u5f0f\u306e\u5f79\u5272\u306f\u4e88\u6e2c\u3084\u691c\u51fa\u3067\u306f\u306a\u304f\u3001\u62bd\u8c61\u69cb\u9020\u306e\u6574\u7406\u3067\u3042\u308b\u3002Copy Fail \u304c crypto API \u306e\u554f\u984c\u306b\u898b\u3048\u3001Dirty Frag \u304c networking \u306e\u554f\u984c\u306b\u898b\u3048\u3066\u3082\u3001\u540c\u3058\u5f0f\u3067\u8aad\u3081\u308b\u306e\u306f\u3001\u4e21\u8005\u304c\u540c\u3058\u4e0d\u5909\u6761\u4ef6\u3092\u7834\u3063\u3066\u3044\u308b\u304b\u3089\u3067\u3042\u308b\u3002<\/p>\n

\n

17. \u6a2a\u5c55\u958b\u8abf\u67fb\u3082\u30e2\u30c7\u30eb\u304b\u3089\u5c0e\u3051\u308b<\/h2>\n

\u610f\u5473\u4fdd\u5b58\u30e2\u30c7\u30eb\u3092\u4f7f\u3046\u3068\u3001\u6a2a\u5c55\u958b\u8abf\u67fb\u306e\u89b3\u70b9\u3082\u660e\u78ba\u306b\u306a\u308b\u3002\u898b\u308b\u3079\u304d\u306a\u306e\u306f\u3001\u3069\u306e\u30b5\u30d6\u30b7\u30b9\u30c6\u30e0\u540d\u304b\u3067\u306f\u306a\u3044\u3002\u3069\u306e\u9077\u79fb\u3067 \\(M\\) \u306e\u3069\u306e\u6210\u5206\u304c\u5931\u308f\u308c\u308b\u304b\u3067\u3042\u308b\u3002\u3064\u307e\u308a\u3001\u8abf\u67fb\u5bfe\u8c61\u306f\u300calgif_aead \u306b\u4f3c\u3066\u3044\u308b\u304b\u300d\u300cxfrm-ESP \u306b\u4f3c\u3066\u3044\u308b\u304b\u300d\u3067\u306f\u306a\u304f\u3001\u300c\\(P\\)\u3001\\(W\\)\u3001\\(S\\)\u3001\\(T\\)\u3001\\(A\\)\u3001\\(C\\) \u306e\u5fc5\u8981\u306a\u5236\u7d04\u304c\u3001\u51e6\u7406\u7d4c\u8def\u306e\u9014\u4e2d\u3067\u843d\u3061\u308b\u304b\u300d\u3067\u6c7a\u307e\u308b\u3002<\/p>\n

\u3053\u306e\u89b3\u70b9\u304b\u3089\u898b\u308b\u3068\u3001zero-copy \u306f \\(D\\) \u306e copy \u3092\u907f\u3051\u308b\u51e6\u7406\u3067\u3042\u308b\u3002\u3057\u304b\u3057\u3001\\(D\\) \u3092 copy \u3057\u306a\u3044\u306a\u3089\u3001\\(M\\) \u3092\u6b63\u3057\u304f\u904b\u3076\u5fc5\u8981\u304c\u3042\u308b\u3002provenance \\(P\\) \u3068 sharing \\(S\\) \u304c\u5f8c\u6bb5\u3078\u4f1d\u308f\u3089\u306a\u3051\u308c\u3070\u3001file-backed shared page \u304c\u5358\u306a\u308b buffer \u3068\u3057\u3066\u6271\u308f\u308c\u308b\u3002in-place crypto \u306f performance \u3092\u4e0a\u3052\u308b\u51e6\u7406\u3067\u3042\u308b\u3002\u3057\u304b\u3057\u3001direction \\(T\\) \u3068 writability \\(W\\) \u304c\u4fdd\u5b58\u3055\u308c\u306a\u3051\u308c\u3070\u3001input \u3067\u3042\u308a read-only \u3067\u3042\u308b page \u304c output \u306b\u306a\u308b\u3002async I\/O \u306f throughput \u3092\u9ad8\u3081\u308b\u51e6\u7406\u3067\u3042\u308b\u3002\u3057\u304b\u3057\u3001lifetime \\(L\\) \u3068 authority \\(A\\) \u304c\u4fdd\u5b58\u3055\u308c\u306a\u3051\u308c\u3070\u3001submit \u6642\u70b9\u3067\u306f\u5b89\u5168\u3060\u3063\u305f buffer \u3084\u6a29\u9650\u6587\u8108\u304c completion \u6642\u70b9\u3067\u306f\u5225\u306e\u610f\u5473\u3092\u6301\u3064\u53ef\u80fd\u6027\u304c\u3042\u308b\u3002<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\u6a2a\u5c55\u958b\u5bfe\u8c61<\/th>\n\u5931\u308f\u308c\u3084\u3059\u3044 \\(M\\) \u306e\u6210\u5206<\/th>\n\u5371\u967a\u306e\u5f62<\/th>\n\u78ba\u8a8d\u3059\u3079\u304d\u4e0d\u5909\u6761\u4ef6<\/th>\n<\/tr>\n<\/thead>\n
zero-copy<\/td>\n\\(P\\)\u3001\\(S\\)\u3001\\(O\\)\u3001\\(W\\)<\/td>\ncopy \u3092\u7701\u7565\u3057\u305f page \u53c2\u7167\u304c\u3001\u7531\u6765\u3084\u5171\u6709\u6027\u3092\u5931\u3063\u305f\u307e\u307e\u5f8c\u6bb5\u3078\u6e21\u308b\u3002<\/td>\nfile-backed shared page \u3067\u3042\u308b\u3053\u3068\u304c\u3001\u5f8c\u6bb5\u51e6\u7406\u3067\u3082\u4fdd\u6301\u3055\u308c\u3066\u3044\u308b\u304b\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/td>\n<\/tr>\n
splice \/ pipe buffer<\/td>\n\\(P\\)\u3001\\(S\\)\u3001\\(T\\)<\/td>\n\u8aad\u307f\u53d6\u308a\u5bfe\u8c61\u306e page cache \u304c\u3001pipe \u3092\u7d4c\u7531\u3057\u3066\u5225\u306e\u51e6\u7406\u5bfe\u8c61\u3078\u79fb\u308b\u3002<\/td>\n\u5165\u529b\u3068\u3057\u3066\u6e21\u3055\u308c\u305f page \u304c\u3001\u51fa\u529b\u5148\u307e\u305f\u306f\u4f5c\u696d\u9818\u57df\u3068\u3057\u3066\u6271\u308f\u308c\u306a\u3044\u304b\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/td>\n<\/tr>\n
scatterlist<\/td>\n\\(W\\)\u3001\\(T\\)\u3001\\(S\\)<\/td>\n\u8907\u6570 page \u3092\u307e\u3068\u3081\u308b\u904e\u7a0b\u3067\u3001source \u3068 destination \u306e\u610f\u5473\u304c\u6df7\u3056\u308b\u3002<\/td>\nread-only shared page \u304c writable destination \u306b\u5165\u3089\u306a\u3044\u304b\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/td>\n<\/tr>\n
skb frag<\/td>\n\\(P\\)\u3001\\(S\\)\u3001\\(T\\)<\/td>\n\u30cd\u30c3\u30c8\u30ef\u30fc\u30af fragment \u3068\u3057\u3066\u6271\u308f\u308c\u308b\u904e\u7a0b\u3067\u3001page \u306e\u7531\u6765\u3084\u5171\u6709\u6027\u304c\u8584\u307e\u308b\u3002<\/td>\nshared frag \u3067\u3042\u308c\u3070 private copy \u304c\u5fc5\u8981\u306a\u5834\u9762\u3067\u3001in-place \u51e6\u7406\u306b\u9032\u307e\u306a\u3044\u304b\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/td>\n<\/tr>\n
in-place crypto<\/td>\n\\(W\\)\u3001\\(T\\)\u3001\\(A\\)<\/td>\n\u5165\u529b buffer \u3092\u51fa\u529b buffer \u3068\u3057\u3066\u518d\u5229\u7528\u3057\u3001\u8aad\u307f\u53d6\u308a\u5c02\u7528\u7531\u6765\u306e page \u3092\u66f8\u304d\u63db\u3048\u308b\u3002<\/td>\ninput \u304b\u3064 read-only \u306e page \u304c output \u3068\u3057\u3066\u6271\u308f\u308c\u306a\u3044\u304b\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/td>\n<\/tr>\n
compression \/ decompression<\/td>\n\\(T\\)\u3001\\(W\\)\u3001\\(L\\)<\/td>\n\u5909\u63db\u51e6\u7406\u306e\u9014\u4e2d\u3067\u3001\u5165\u529b buffer \u3068\u51fa\u529b buffer \u3084 scratch buffer \u306e\u5883\u754c\u304c\u66d6\u6627\u306b\u306a\u308b\u3002<\/td>\n\u5165\u529b page \u304c\u4f5c\u696d\u9818\u57df\u3068\u3057\u3066\u66f8\u304d\u63db\u3048\u3089\u308c\u306a\u3044\u304b\u3001\u51fa\u529b\u5148\u306e lifetime \u304c\u6b63\u3057\u3044\u304b\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/td>\n<\/tr>\n
tunnel \/ encapsulation<\/td>\n\\(P\\)\u3001\\(S\\)\u3001\\(T\\)\u3001\\(C\\)<\/td>\npayload \u304c\u8907\u6570\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u5c64\u3084\u6697\u53f7\u5c64\u3092\u901a\u904e\u3059\u308b\u904e\u7a0b\u3067\u3001page \u306e\u610f\u5473\u304c\u8584\u307e\u308b\u3002<\/td>\n\u5143\u306e page \u304c\u9ad8\u6a29\u9650\u6587\u8108\u3067\u8aad\u307e\u308c\u5f97\u308b\u5834\u5408\u3001\u305d\u306e\u610f\u5473\u304c\u5f8c\u6bb5\u307e\u3067\u4fdd\u5b58\u3055\u308c\u3066\u3044\u308b\u304b\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/td>\n<\/tr>\n
io_uring \/ async I\/O<\/td>\n\\(L\\)\u3001\\(A\\)\u3001\\(O\\)\u3001\\(T\\)<\/td>\nsubmit \u6642\u70b9\u3068 completion \u6642\u70b9\u3067\u3001buffer\u3001file\u3001credential\u3001\u6a29\u9650\u6587\u8108\u304c\u305a\u308c\u308b\u3002<\/td>\n\u975e\u540c\u671f\u5883\u754c\u3092\u8d8a\u3048\u3066\u3001lifetime \u3068 authority \u304c\u4fdd\u5b58\u3055\u308c\u3066\u3044\u308b\u304b\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/td>\n<\/tr>\n
filesystem layer \/ overlayfs \/ FUSE<\/td>\n\\(P\\)\u3001\\(O\\)\u3001\\(W\\)\u3001\\(C\\)<\/td>\n\u4e0a\u4f4d\u30d5\u30a1\u30a4\u30eb\u30b7\u30b9\u30c6\u30e0\u306e\u6a29\u9650\u610f\u5473\u3068\u4e0b\u4f4d\u5b9f\u4f53\u306e page \u3084 object \u306e\u610f\u5473\u304c\u305a\u308c\u308b\u3002<\/td>\n\u4e0a\u4f4d\u3067 read-only \u306b\u898b\u3048\u308b\u5bfe\u8c61\u304c\u3001\u4e0b\u4f4d\u3067 writable \u306a\u5225\u6587\u8108\u3068\u3057\u3066\u6271\u308f\u308c\u306a\u3044\u304b\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u3053\u306e\u3088\u3046\u306b\u3001\u6570\u7406\u30e2\u30c7\u30eb\u306f\u8106\u5f31\u6027\u3092\u4e88\u6e2c\u3059\u308b\u305f\u3081\u3067\u306f\u306a\u304f\u3001\u540c\u3058\u69cb\u9020\u3092\u898b\u629c\u304f\u305f\u3081\u306b\u4f7f\u3046\u3002Dirty Frag \u306f\u3001Copy Fail \u3068\u540c\u3058\u4e0d\u5909\u6761\u4ef6\u9055\u53cd\u306e\u5225\u5165\u53e3\u3067\u3042\u308b\u3002\u3057\u305f\u304c\u3063\u3066\u3001\u6a2a\u5c55\u958b\u8abf\u67fb\u3067\u306f\u3001\u65e2\u77e5\u306e\u30e2\u30b8\u30e5\u30fc\u30eb\u540d\u3092\u6697\u8a18\u3059\u308b\u306e\u3067\u306f\u306a\u304f\u3001\u610f\u5473\u306e\u3069\u306e\u6210\u5206\u304c\u3069\u306e\u9077\u79fb\u3067\u5931\u308f\u308c\u308b\u304b\u3092\u898b\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002<\/p>\n

\u6700\u7d42\u7684\u306b\u3001\u6a2a\u5c55\u958b\u8abf\u67fb\u306f\u6b21\u306e\u554f\u3044\u306b\u96c6\u7d04\u3067\u304d\u308b\u3002\u51e6\u7406\u5bfe\u8c61 \\(X=(D,M)\\) \u304c\u30b5\u30d6\u30b7\u30b9\u30c6\u30e0\u5883\u754c\u3092\u8d8a\u3048\u308b\u3068\u304d\u3001\\(D\\) \u3060\u3051\u3067\u306a\u304f \\(M\\) \u3082\u4fdd\u5b58\u3055\u308c\u3066\u3044\u308b\u304b\u3002\u7279\u306b\u3001read-only file-backed shared page \u304c\u95a2\u4e0e\u3059\u308b\u5834\u5408\u3001\\(P\\)\u3001\\(W\\)\u3001\\(S\\)\u3001\\(T\\)\u3001\\(A\\)\u3001\\(C\\) \u306f\u5f8c\u6bb5\u3067\u3082\u6b63\u3057\u304f\u4fdd\u6301\u3055\u308c\u3066\u3044\u308b\u304b\u3002\u3053\u306e\u554f\u3044\u306b\u7b54\u3048\u3089\u308c\u306a\u3044\u7d4c\u8def\u306f\u3001Copy Fail \/ Dirty Frag \u578b\u306e bug class \u3068\u3057\u3066\u7591\u3046\u3079\u304d\u3067\u3042\u308b\u3002<\/p>\n

\n

18. \u904b\u7528\u8ad6\u3067\u306f kernel update \u3068 reboot \u304c\u672c\u7b4b\u3067\u3042\u308b<\/h2>\n

\u904b\u7528\u4e0a\u306f\u3001Dirty Frag \u306e\u5bfe\u5fdc\u306f\u8907\u96d1\u306b\u898b\u3048\u308b\u3002\u3057\u304b\u3057\u3001\u539f\u5247\u306f\u5358\u7d14\u3067\u3042\u308b\u3002\u672a\u4fee\u6b63\u671f\u9593\u306b\u306f\u3001\u4e0d\u8981\u306a\u5165\u53e3\u3092\u7121\u52b9\u5316\u3057\u3066\u6642\u9593\u3092\u7a3c\u3050\u3002\u4fee\u6b63\u6e08\u307f kernel \u304c\u63d0\u4f9b\u3055\u308c\u305f\u3089\u66f4\u65b0\u3059\u308b\u3002\u305d\u3057\u3066\u518d\u8d77\u52d5\u3057\u3001\u5b9f\u969b\u306b\u4fee\u6b63\u6e08\u307f kernel \u3067\u8d77\u52d5\u3057\u3066\u3044\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3059\u308b\u3002\u3053\u306e\u6d41\u308c\u306f Copy Fail \u3067\u3082 Dirty Frag \u3067\u3082\u5909\u308f\u3089\u306a\u3044\u3002\u9055\u3046\u306e\u306f\u3001\u66ab\u5b9a\u7684\u306b\u585e\u3050\u5165\u53e3\u306e\u540d\u524d\u3067\u3042\u308a\u3001\u6839\u672c\u5bfe\u7b56\u306e\u69cb\u9020\u3067\u306f\u306a\u3044\u3002<\/p>\n

Unit 42 \u3084 Bugcrowd \u306e Copy Fail \u89e3\u8aac\u3082\u3001Copy Fail \u3092 deterministic logic flaw\u3001AF_ALG \/ algif_aead \/ splice \/ page cache \u306e\u7d50\u5408\u3068\u3057\u3066\u8aac\u660e\u3057\u3001\u5b9f\u52d9\u4e0a\u306f kernel \u66f4\u65b0\u3092\u512a\u5148\u3059\u3079\u304d\u554f\u984c\u3068\u3057\u3066\u6271\u3063\u3066\u3044\u308b[27]<\/a>[28]<\/a>\u3002Theori \u306e Copy Fail \u516c\u958b\u60c5\u5831\u3082\u3001\u3053\u306e\u8106\u5f31\u6027\u304c algif_aead \u3068 page cache \u3092\u4ecb\u3059\u308b LPE \u3068\u3057\u3066\u6ce8\u76ee\u3055\u308c\u305f\u80cc\u666f\u306b\u3042\u308b[29]<\/a>\u3002\u3064\u307e\u308a\u3001Copy Fail \u3067\u3082 Dirty Frag \u3067\u3082\u3001\u8106\u5f31\u6027\u306e\u6280\u8853\u7684\u5165\u53e3\u306f\u7570\u306a\u308b\u304c\u3001\u904b\u7528\u4e0a\u306e\u7d42\u7740\u70b9\u306f\u4fee\u6b63\u6e08\u307f kernel \u3067\u8d77\u52d5\u3059\u308b\u3053\u3068\u306b\u3042\u308b\u3002<\/p>\n\n\n\n\n\n\n\n\n\n\n
\u5bfe\u5fdc\u6bb5\u968e<\/th>\n\u5b9f\u65bd\u5185\u5bb9<\/th>\n\u76ee\u7684<\/th>\n\u6ce8\u610f\u70b9<\/th>\n<\/tr>\n<\/thead>\n
\u5f71\u97ff\u78ba\u8a8d<\/td>\n\u5bfe\u8c61 kernel\u3001\u914d\u5e03\u5143\u306e advisory\u3001\u5bfe\u8c61 CVE\u3001\u30ed\u30fc\u30c9\u6e08\u307f module\u3001\u5229\u7528\u4e2d\u6a5f\u80fd\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/td>\n\u81ea\u5206\u306e\u74b0\u5883\u304c Dirty Frag \u306e\u5f71\u97ff\u3092\u53d7\u3051\u308b\u304b\u3001\u3069\u306e\u7a0b\u5ea6\u6025\u3050\u3079\u304d\u304b\u3092\u5224\u65ad\u3059\u308b\u3002<\/td>\nCVE \u306e\u5b58\u5728\u3060\u3051\u3067\u5224\u65ad\u305b\u305a\u3001\u5b9f\u969b\u306e kernel version\u3001module\u3001\u5229\u7528\u6a5f\u80fd\u3001\u4f4e\u6a29\u9650\u5b9f\u884c\u7d4c\u8def\u3092\u898b\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002<\/td>\n<\/tr>\n
\u66ab\u5b9a\u7de9\u548c<\/td>\n\u672a\u4fee\u6b63\u671f\u9593\u306b\u4e0d\u8981\u306a esp4\u3001esp6\u3001rxrpc \u306a\u3069\u306e\u5165\u53e3\u3092\u7121\u52b9\u5316\u3059\u308b\u3002<\/td>\n\u4fee\u6b63\u6e08\u307f kernel \u3078\u79fb\u884c\u3059\u308b\u307e\u3067\u3001\u65e2\u77e5\u306e exploit \u7d4c\u8def\u3078\u5230\u9054\u3057\u306b\u304f\u304f\u3059\u308b\u3002<\/td>\nIPsec ESP\u3001AFS\u3001RxRPC \u3092\u5229\u7528\u3057\u3066\u3044\u308b\u74b0\u5883\u3067\u306f\u6a5f\u80fd\u5f71\u97ff\u304c\u51fa\u308b\u305f\u3081\u3001\u7121\u6761\u4ef6\u306b\u9069\u7528\u3057\u3066\u3088\u3044\u308f\u3051\u3067\u306f\u306a\u3044\u3002<\/td>\n<\/tr>\n
cache \u6c5a\u67d3\u5bfe\u51e6<\/td>\n\u6c5a\u67d3\u304c\u7591\u308f\u308c\u308b\u5834\u5408\u306f drop_caches \u3084 reboot \u306b\u3088\u3063\u3066\u5b9f\u884c\u6642\u72b6\u614b\u3092\u521d\u671f\u5316\u3059\u308b\u3002<\/td>\n\u30c7\u30a3\u30b9\u30af\u4e0a\u3067\u306f\u306a\u304f page cache \u4e0a\u306b\u6b8b\u3063\u305f\u53ef\u80fd\u6027\u306e\u3042\u308b\u6c5a\u67d3\u3092\u6d88\u3059\u3002<\/td>\ndrop_caches \u306f\u8106\u5f31\u6027\u4fee\u6b63\u3067\u306f\u306a\u304f\u3001\u6c5a\u67d3\u6e08\u307f\u72b6\u614b\u3092\u6368\u3066\u308b\u305f\u3081\u306e\u7dca\u6025\u51e6\u7f6e\u3067\u3042\u308b\u3002<\/td>\n<\/tr>\n
kernel \u66f4\u65b0<\/td>\n\u914d\u5e03\u5143\u304c\u63d0\u4f9b\u3059\u308b\u4fee\u6b63\u6e08\u307f kernel package \u3092\u9069\u7528\u3059\u308b\u3002<\/td>\n\u8106\u5f31\u306a\u51e6\u7406\u7d4c\u8def\u305d\u306e\u3082\u306e\u3092\u4fee\u6b63\u3059\u308b\u3002<\/td>\npackage \u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u305f\u3060\u3051\u3067\u306f\u3001\u5b9f\u884c\u4e2d kernel \u306f\u5207\u308a\u66ff\u308f\u3089\u306a\u3044\u3002<\/td>\n<\/tr>\n
\u518d\u8d77\u52d5<\/td>\n\u30b7\u30b9\u30c6\u30e0\u3092 reboot \u3057\u3001\u4fee\u6b63\u6e08\u307f kernel \u3067\u8d77\u52d5\u3059\u308b\u3002<\/td>\n\u4fee\u6b63\u6e08\u307f kernel \u3092\u5b9f\u969b\u306b\u6709\u52b9\u5316\u3057\u3001\u53e4\u3044 kernel \u3068\u5b9f\u884c\u6642 cache \u72b6\u614b\u3092\u6368\u3066\u308b\u3002<\/td>\n\u518d\u8d77\u52d5\u3057\u306a\u3051\u308c\u3070\u3001\u66f4\u65b0\u6e08\u307f package \u304c\u5b58\u5728\u3057\u3066\u3082\u8106\u5f31\u306a kernel \u3067\u52d5\u304d\u7d9a\u3051\u308b\u53ef\u80fd\u6027\u304c\u3042\u308b\u3002<\/td>\n<\/tr>\n
\u8d77\u52d5\u78ba\u8a8d<\/td>\n\u8d77\u52d5\u4e2d kernel version \u3068\u914d\u5e03\u5143\u306e\u4fee\u6b63\u72b6\u6cc1\u3092\u7167\u5408\u3059\u308b\u3002<\/td>\n\u66f4\u65b0\u3057\u305f\u3064\u3082\u308a\u3067\u65e7 kernel \u306e\u307e\u307e\u904b\u7528\u3059\u308b\u4e8b\u6545\u3092\u9632\u3050\u3002<\/td>\n\u8907\u6570 kernel \u304c\u6b8b\u308b\u74b0\u5883\u3001\u624b\u52d5 boot selection\u3001\u4eee\u60f3\u57fa\u76e4\u3067\u306f\u78ba\u8a8d\u3092\u7701\u7565\u3057\u3066\u306f\u306a\u3089\u306a\u3044\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

CISA \u306e Known Exploited Vulnerabilities Catalog \u306b Copy Fail \u304c\u8ffd\u52a0\u3055\u308c\u305f\u3053\u3068\u3082\u3001\u904b\u7528\u4e0a\u306e\u91cd\u307f\u3092\u793a\u3057\u3066\u3044\u308b[30]<\/a>\u3002KEV \u306b\u5165\u308b\u3068\u3044\u3046\u3053\u3068\u306f\u3001\u5358\u306b\u7406\u8ad6\u7684\u306b\u5371\u967a\u3067\u3042\u308b\u3068\u3044\u3046\u8a71\u3067\u306f\u306a\u304f\u3001\u5b9f\u969b\u306e\u60aa\u7528\u3084\u904b\u7528\u4e0a\u306e\u512a\u5148\u5ea6\u3092\u8003\u616e\u3059\u3079\u304d\u6bb5\u968e\u306b\u3042\u308b\u3053\u3068\u3092\u610f\u5473\u3059\u308b\u3002Dirty Frag \u306b\u3064\u3044\u3066\u3082\u3001local access \u304c\u524d\u63d0\u3067\u3042\u308b\u3053\u3068\u3060\u3051\u3092\u7406\u7531\u306b\u8efd\u304f\u6271\u3046\u3079\u304d\u3067\u306f\u306a\u3044\u3002\u4f4e\u6a29\u9650\u5b9f\u884c\u306b\u5230\u9054\u3059\u308b\u5225\u306e\u5165\u53e3\u304c\u3042\u308b\u74b0\u5883\u3067\u306f\u3001Dirty Frag \u306f\u4fb5\u5bb3\u5f8c\u306e root \u5316\u306b\u4f7f\u308f\u308c\u308b\u5897\u5e45\u5668\u306b\u306a\u308b\u3002<\/p>\n

\u3057\u305f\u304c\u3063\u3066\u3001\u904b\u7528\u8ad6\u3067\u6700\u3082\u907f\u3051\u308b\u3079\u304d\u8aa4\u89e3\u306f\u3001\u66ab\u5b9a\u5bfe\u7b56\u3092\u6839\u672c\u5bfe\u7b56\u3068\u53d6\u308a\u9055\u3048\u308b\u3053\u3068\u3067\u3042\u308b\u3002module blacklist \u306f\u5165\u53e3\u3092\u9589\u3058\u308b\u305f\u3081\u306e\u4e00\u6642\u7b56\u3067\u3042\u308b\u3002rmmod \u306f\u30ed\u30fc\u30c9\u6e08\u307f\u306e\u5165\u53e3\u3092\u6d88\u3059\u64cd\u4f5c\u3067\u3042\u308b\u3002drop_caches \u306f\u6c5a\u67d3\u6e08\u307f page cache \u3092\u6368\u3066\u308b\u51e6\u7f6e\u3067\u3042\u308b\u3002\u3044\u305a\u308c\u3082\u91cd\u8981\u3060\u304c\u3001\u8106\u5f31\u306a kernel code \u3092\u4fee\u6b63\u3059\u308b\u3082\u306e\u3067\u306f\u306a\u3044\u3002\u6700\u7d42\u7684\u306b\u306f\u3001\u4fee\u6b63\u6e08\u307f kernel \u3092\u5c0e\u5165\u3057\u3001\u305d\u306e kernel \u3067\u518d\u8d77\u52d5\u3057\u3001\u8d77\u52d5\u4e2d kernel \u3092\u78ba\u8a8d\u3059\u308b\u3002\u3053\u306e\u4e00\u9023\u306e\u6d41\u308c\u304c\u3001Copy Fail \u3068 Dirty Frag \u306b\u5171\u901a\u3059\u308b\u904b\u7528\u4e0a\u306e\u672c\u7b4b\u3067\u3042\u308b\u3002<\/p>\n

\n

19. \u8106\u5f31\u6027\u306e\u6d2a\u6c34\u3067\u306f CVE \u3067\u306f\u306a\u304f\u9732\u51fa\u3092\u7ba1\u7406\u3059\u308b<\/h2>\n

Dirty Frag \u306e\u904b\u7528\u4e0a\u306e\u610f\u5473\u306f\u3001\u5358\u306b\u65b0\u3057\u3044 CVE \u304c\u5897\u3048\u305f\u3068\u3044\u3046\u3053\u3068\u3067\u306f\u306a\u3044\u3002\u3088\u308a\u5927\u304d\u306a\u554f\u984c\u306f\u3001\u8106\u5f31\u6027\u306e\u6570\u304c\u5897\u3048\u7d9a\u3051\u308b\u72b6\u6cc1\u3067\u306f\u3001CVE \u756a\u53f7\u3092\u77e5\u308b\u3053\u3068\u3084 CVSS \u3092\u773a\u3081\u308b\u3053\u3068\u3060\u3051\u3067\u306f\u3001\u5b9f\u969b\u306b\u5b88\u308b\u3079\u304d\u74b0\u5883\u306e\u512a\u5148\u9806\u4f4d\u3092\u6c7a\u3081\u3089\u308c\u306a\u304f\u306a\u308b\u3068\u3044\u3046\u70b9\u3067\u3042\u308b\u3002Tenable \u306f\u3001AI \u306b\u3088\u308b\u8106\u5f31\u6027\u767a\u898b\u306e\u52a0\u901f\u3001NVD \u306b\u3088\u308b CVE enrichment \u306e\u7e2e\u5c0f\u3001\u5e74\u9593 CVE \u4ef6\u6570\u306e\u5897\u52a0\u304c\u91cd\u306a\u308a\u3001\u5f93\u6765\u578b\u306e\u8106\u5f31\u6027\u7ba1\u7406\u304c\u9650\u754c\u306b\u6765\u308b\u3068\u8ad6\u3058\u3066\u3044\u308b[31]<\/a>\u3002<\/p>\n

\u3053\u306e\u8b70\u8ad6\u306f\u3001Dirty Frag \u306e\u5f8c\u534a\u306b\u72ec\u7acb\u3057\u305f\u7ae0\u3068\u3057\u3066\u7f6e\u304f\u5fc5\u8981\u304c\u3042\u308b\u3002\u306a\u305c\u306a\u3089\u3001Dirty Frag \u306e\u3088\u3046\u306a LPE \u306f\u3001CVE \u3068\u3057\u3066\u5b58\u5728\u3059\u308b\u3060\u3051\u3067\u306f\u904b\u7528\u4e0a\u306e\u512a\u5148\u5ea6\u304c\u6c7a\u307e\u3089\u306a\u3044\u304b\u3089\u3067\u3042\u308b\u3002\u5bfe\u8c61 host \u306e kernel \u304c\u8a72\u5f53\u3059\u308b\u304b\u3001\u4fee\u6b63\u7248 kernel \u304c\u63d0\u4f9b\u3055\u308c\u3066\u3044\u308b\u304b\u3001\u518d\u8d77\u52d5\u3067\u304d\u308b\u304b\u3001esp4\u3001esp6\u3001rxrpc \u304c\u30ed\u30fc\u30c9\u3055\u308c\u3066\u3044\u308b\u304b\u3001IPsec ESP \u3084 AFS \/ RxRPC \u3092\u4f7f\u3063\u3066\u3044\u308b\u304b\u3001SSH\u3001Web shell\u3001CI runner\u3001container \u306a\u3069\u4f4e\u6a29\u9650\u5b9f\u884c\u7d4c\u8def\u304c\u5b58\u5728\u3059\u308b\u304b\u306b\u3088\u3063\u3066\u3001\u540c\u3058 CVE \u306e\u5b9f\u52d9\u4e0a\u306e\u610f\u5473\u306f\u5909\u308f\u308b\u3002<\/p>\n\n\n\n\n\n\n\n\n\n\n
\u8a55\u4fa1\u8ef8<\/th>\nCVE \u5358\u4f4d\u3067\u898b\u305f\u5834\u5408<\/th>\n\u9732\u51fa\u5358\u4f4d\u3067\u898b\u305f\u5834\u5408<\/th>\nDirty Frag \u3067\u306e\u610f\u5473<\/th>\n<\/tr>\n<\/thead>\n
\u5bfe\u8c61\u5224\u5b9a<\/td>\nCVE \u304c\u5b58\u5728\u3059\u308b\u304b\u3001CVSS \u304c\u9ad8\u3044\u304b\u3092\u898b\u308b\u3002<\/td>\n\u81ea\u5206\u306e kernel\u3001distribution\u3001package \u72b6\u614b\u3001module \u72b6\u614b\u304c\u8a72\u5f53\u3059\u308b\u304b\u3092\u898b\u308b\u3002<\/td>\n\u540c\u3058 CVE \u3067\u3082\u3001\u5bfe\u8c61 kernel \u3067\u306a\u3051\u308c\u3070\u76f4\u63a5\u306e\u5f71\u97ff\u306f\u306a\u3044\u3002<\/td>\n<\/tr>\n
\u653b\u6483\u5230\u9054\u6027<\/td>\n\u8106\u5f31\u6027\u306e\u4e00\u822c\u7684\u8aac\u660e\u3092\u8aad\u3080\u3002<\/td>\n\u305d\u306e host \u4e0a\u3067\u4f4e\u6a29\u9650\u30b3\u30fc\u30c9\u5b9f\u884c\u306b\u81f3\u308b\u7d4c\u8def\u304c\u3042\u308b\u304b\u3092\u898b\u308b\u3002<\/td>\nSSH\u3001Web shell\u3001CI runner\u3001container \u306a\u3069\u304c\u3042\u308b\u74b0\u5883\u3067\u306f\u512a\u5148\u5ea6\u304c\u4e0a\u304c\u308b\u3002<\/td>\n<\/tr>\n
\u6a5f\u80fd\u5229\u7528<\/td>\n\u5f71\u97ff\u3092\u53d7\u3051\u308b module \u540d\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/td>\nesp4\u3001esp6\u3001rxrpc\u3001IPsec ESP\u3001AFS \/ RxRPC \u3092\u5b9f\u969b\u306b\u4f7f\u3063\u3066\u3044\u308b\u304b\u3092\u898b\u308b\u3002<\/td>\n\u4f7f\u3063\u3066\u3044\u306a\u3044 module \u306f\u7121\u52b9\u5316\u3057\u3084\u3059\u3044\u304c\u3001\u4f7f\u3063\u3066\u3044\u308b\u5834\u5408\u306f\u6a5f\u80fd\u5f71\u97ff\u3092\u8003\u3048\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002<\/td>\n<\/tr>\n
\u60aa\u7528\u53ef\u80fd\u6027<\/td>\nPoC \u3084 exploit \u306e\u6709\u7121\u3092\u4e00\u822c\u60c5\u5831\u3068\u3057\u3066\u898b\u308b\u3002<\/td>\n\u81ea\u5206\u306e\u74b0\u5883\u3067 PoC \u6761\u4ef6\u304c\u6e80\u305f\u3055\u308c\u308b\u304b\u3001\u653b\u6483\u8005\u304c\u524d\u63d0\u6a29\u9650\u3092\u5f97\u3084\u3059\u3044\u304b\u3092\u898b\u308b\u3002<\/td>\nLPE \u306f\u4fb5\u5165\u53e3\u3067\u306f\u306a\u304f\u5897\u5e45\u5668\u306a\u306e\u3067\u3001\u65e2\u5b58\u306e\u4fb5\u5165\u53e3\u3068\u306e\u7d44\u307f\u5408\u308f\u305b\u304c\u91cd\u8981\u306b\u306a\u308b\u3002<\/td>\n<\/tr>\n
\u4fee\u6b63\u53ef\u80fd\u6027<\/td>\nadvisory \u306b\u4fee\u6b63\u6e08\u307f\u3068\u66f8\u304b\u308c\u3066\u3044\u308b\u304b\u3092\u898b\u308b\u3002<\/td>\n\u81ea\u5206\u306e\u74b0\u5883\u3067 kernel update \u3068 reboot \u3092\u3044\u3064\u5b9f\u65bd\u3067\u304d\u308b\u304b\u3092\u898b\u308b\u3002<\/td>\n\u66f4\u65b0\u6e08\u307f package \u304c\u3042\u3063\u3066\u3082\u3001\u518d\u8d77\u52d5\u3067\u304d\u306a\u3051\u308c\u3070\u8106\u5f31\u306a kernel \u304c\u6b8b\u308b\u3002<\/td>\n<\/tr>\n
\u512a\u5148\u9806\u4f4d<\/td>\nCVSS\u3001priority\u3001severity \u3092\u6a5f\u68b0\u7684\u306b\u898b\u308b\u3002<\/td>\n\u516c\u958b\u9762\u3001\u4f4e\u6a29\u9650\u5b9f\u884c\u7d4c\u8def\u3001\u4fee\u6b63\u53ef\u5426\u3001\u696d\u52d9\u5f71\u97ff\u3001\u518d\u8d77\u52d5\u53ef\u5426\u3092\u5408\u308f\u305b\u3066\u5224\u65ad\u3059\u308b\u3002<\/td>\n\u516c\u958b\u30b5\u30fc\u30d0\u30fc\u3001\u5171\u6709 login \u74b0\u5883\u3001CI host\u3001container host \u306f\u512a\u5148\u5ea6\u304c\u9ad8\u3044\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u3057\u305f\u304c\u3063\u3066\u3001\u5fc5\u8981\u306a\u306e\u306f CVE \u5358\u4f4d\u306e\u53cd\u5fdc\u3067\u306f\u306a\u304f\u3001\u9732\u51fa\u5358\u4f4d\u306e\u5224\u65ad\u3067\u3042\u308b\u3002Dirty Frag \u3067\u3042\u308c\u3070\u3001\u516c\u958b\u30b5\u30fc\u30d0\u30fc\u3001\u5171\u6709 login \u74b0\u5883\u3001CI host\u3001container host\u3001Web application \u304b\u3089\u4efb\u610f\u30b3\u30fc\u30c9\u5b9f\u884c\u306b\u5230\u9054\u3057\u5f97\u308b host \u306f\u512a\u5148\u5ea6\u304c\u9ad8\u3044\u3002\u4e00\u65b9\u3001\u5916\u90e8\u5b9f\u884c\u7d4c\u8def\u304c\u306a\u304f\u3001\u5358\u72ec\u5229\u7528\u3067\u3001\u8a72\u5f53 module \u3082\u4f7f\u3063\u3066\u3044\u306a\u3044\u74b0\u5883\u3067\u306f\u3001\u7dca\u6025\u5ea6\u306f\u76f8\u5bfe\u7684\u306b\u4e0b\u304c\u308b\u3002\u305f\u3060\u3057\u3001\u7dca\u6025\u5ea6\u304c\u4e0b\u304c\u308b\u3053\u3068\u3068\u3001\u4fee\u6b63\u304c\u4e0d\u8981\u3067\u3042\u308b\u3053\u3068\u306f\u540c\u3058\u3067\u306f\u306a\u3044\u3002\u512a\u5148\u5ea6\u306f\u5bfe\u5fdc\u9806\u3092\u6c7a\u3081\u308b\u305f\u3081\u306e\u6982\u5ff5\u3067\u3042\u308a\u3001\u653e\u7f6e\u3092\u6b63\u5f53\u5316\u3059\u308b\u305f\u3081\u306e\u6982\u5ff5\u3067\u306f\u306a\u3044\u3002<\/p>\n

\u3053\u3053\u3067\u3082\u3001\u6280\u8853\u5c64\u3068\u904b\u7528\u5c64\u306e\u539f\u7406\u306f\u5bfe\u5fdc\u3057\u3066\u3044\u308b\u3002\u6280\u8853\u5c64\u3067\u306f\u3001byte \u5217\u3060\u3051\u3067\u306a\u304f\u3001\u305d\u306e byte \u5217\u306b\u4ed8\u968f\u3059\u308b provenance\u3001writability\u3001sharing\u3001direction\u3001authority\u3001execution context \u3092\u898b\u308b\u5fc5\u8981\u304c\u3042\u3063\u305f\u3002\u904b\u7528\u5c64\u3067\u3082\u540c\u3058\u3067\u3001CVE \u756a\u53f7\u3060\u3051\u3067\u306a\u304f\u3001\u305d\u306e CVE \u304c\u81ea\u5206\u306e\u8cc7\u7523\u3001\u516c\u958b\u9762\u3001\u5b9f\u884c\u7d4c\u8def\u3001\u60aa\u7528\u53ef\u80fd\u6027\u3001\u4fee\u6b63\u53ef\u80fd\u6027\u3001\u518d\u8d77\u52d5\u53ef\u80fd\u6027\u306e\u4e2d\u3067\u3069\u306e\u610f\u5473\u3092\u6301\u3064\u304b\u3092\u898b\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002\u8106\u5f31\u6027\u7ba1\u7406\u3068\u306f\u3001CVE \u3092\u53ce\u96c6\u3059\u308b\u4f5c\u696d\u3067\u306f\u306a\u304f\u3001\u81ea\u5206\u306e\u74b0\u5883\u306b\u304a\u3051\u308b\u9732\u51fa\u306e\u610f\u5473\u3092\u8aad\u307f\u53d6\u308b\u4f5c\u696d\u3067\u3042\u308b\u3002<\/p>\n

\u3053\u306e\u305f\u3081\u3001Dirty Frag \u306e\u6559\u8a13\u306f\u3001\u500b\u5225 kernel bug \u306e\u7406\u89e3\u306b\u7559\u307e\u3089\u306a\u3044\u3002\u8106\u5f31\u6027\u304c\u5897\u3048\u7d9a\u3051\u3001\u516c\u958b\u60c5\u5831\u306e\u6574\u7406\u304c\u8ffd\u3044\u3064\u304b\u305a\u3001\u512a\u5148\u9806\u4f4d\u4ed8\u3051\u306e\u5916\u90e8\u57fa\u76e4\u304c\u4e0d\u5b8c\u5168\u306b\u306a\u308b\u307b\u3069\u3001\u904b\u7528\u8005\u306f\u500b\u5225 CVE \u306e\u8868\u5c64\u3067\u306f\u306a\u304f\u3001\u653b\u6483\u9762\u3001\u5230\u9054\u53ef\u80fd\u6027\u3001\u6a29\u9650\u6607\u683c\u7d4c\u8def\u3001\u5fa9\u65e7\u53ef\u80fd\u6027\u3092\u81ea\u5206\u306e\u74b0\u5883\u306b\u5373\u3057\u3066\u8a55\u4fa1\u3057\u306a\u3051\u308c\u3070\u306a\u3089\u306a\u3044\u3002\u3053\u308c\u306f\u3001Copy Fail \u304b\u3089 Dirty Frag \u3078\u9032\u3093\u3060\u6280\u8853\u7684\u62bd\u8c61\u5316\u3068\u540c\u3058\u3067\u3042\u308b\u3002\u500b\u5225\u540d\u3067\u306f\u306a\u304f\u3001\u610f\u5473\u3068\u69cb\u9020\u3092\u898b\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002<\/p>\n

\n

20. AI \u304c\u898b\u3064\u3051\u305f\u8106\u5f31\u6027\u3068\u3001AI \u304c\u898b\u3064\u3051\u3084\u3059\u304f\u3057\u305f\u8106\u5f31\u6027<\/h2>\n

Dirty Frag \u3092\u8106\u5f31\u6027\u306e\u6d2a\u6c34\u3068\u3044\u3046\u6587\u8108\u306b\u7f6e\u304f\u3068\u304d\u3001\u3082\u3046\u4e00\u3064\u533a\u5225\u3057\u3066\u304a\u304f\u3079\u304d\u70b9\u304c\u3042\u308b\u3002\u305d\u308c\u306f\u3001AI \u304c\u76f4\u63a5\u898b\u3064\u3051\u305f\u8106\u5f31\u6027\u3068\u3001AI \u306b\u3088\u3063\u3066\u898b\u3064\u3051\u3084\u3059\u304f\u306a\u3063\u305f\u8106\u5f31\u6027\u306f\u540c\u3058\u3067\u306f\u306a\u3044\u3001\u3068\u3044\u3046\u70b9\u3067\u3042\u308b\u3002Copy Fail \u306b\u3064\u3044\u3066\u306f\u3001Theori \u306e Xint Code \u306b\u3088\u308b\u63a2\u7d22\u304c\u767a\u898b\u7d4c\u8def\u3068\u3057\u3066\u8aac\u660e\u3055\u308c\u3066\u304a\u308a\u3001Bugcrowd \u3082 AI system \u306b\u3088\u3063\u3066\u77ed\u6642\u9593\u3067\u898b\u3064\u304b\u3063\u305f\u4e8b\u4f8b\u3068\u3057\u3066\u6574\u7406\u3057\u3066\u3044\u308b[28]<\/a>[29]<\/a>\u3002\u4e00\u65b9\u3067 Dirty Frag \u306b\u3064\u3044\u3066\u306f\u3001\u516c\u958b\u60c5\u5831\u4e0a\u3001AI \u304c\u76f4\u63a5\u767a\u898b\u3057\u305f\u8106\u5f31\u6027\u3068\u306f\u65ad\u5b9a\u3067\u304d\u306a\u3044\u3002Dirty Frag \u306f Hyunwoo Kim \u306b\u3088\u308b\u516c\u958b write-up \u3068 PoC \u3092\u4e2d\u5fc3\u306b\u8aac\u660e\u3055\u308c\u3066\u304a\u308a\u3001Tenable \u3082 Copy Fail \u306e bug class \u3092\u6a2a\u5c55\u958b\u3057\u305f Linux kernel LPE \u3068\u3057\u3066\u6574\u7406\u3057\u3066\u3044\u308b[2]<\/a>[5]<\/a>\u3002<\/p>\n

\u3057\u304b\u3057\u3001\u3053\u306e\u9055\u3044\u306f Dirty Frag \u3068 AI \u6642\u4ee3\u306e\u8106\u5f31\u6027\u7ba1\u7406\u304c\u7121\u95a2\u4fc2\u3067\u3042\u308b\u3053\u3068\u3092\u610f\u5473\u3057\u306a\u3044\u3002\u3080\u3057\u308d\u91cd\u8981\u306a\u306e\u306f\u3001Copy Fail \u304c AI \u652f\u63f4\u63a2\u7d22\u306b\u3088\u3063\u3066\u53ef\u8996\u5316\u3057\u305f page cache write bug class \u304c\u3001\u305d\u306e\u5f8c Dirty Frag \u306b\u3088\u3063\u3066\u5225\u30b5\u30d6\u30b7\u30b9\u30c6\u30e0\u3078\u6a2a\u5c55\u958b\u3055\u308c\u305f\u70b9\u3067\u3042\u308b\u3002AI \u304c\u76f4\u63a5\u898b\u3064\u3051\u305f\u304b\u3069\u3046\u304b\u3068\u306f\u5225\u306b\u3001AI \u306b\u3088\u3063\u3066\u4e00\u3064\u306e\u8106\u5f31\u6027\u30af\u30e9\u30b9\u304c\u53ef\u8996\u5316\u3055\u308c\u308b\u3068\u3001\u7814\u7a76\u8005\u3001\u653b\u6483\u8005\u3001\u9632\u5fa1\u8005\u306e\u3059\u3079\u3066\u304c\u3001\u540c\u3058\u4e0d\u5909\u6761\u4ef6\u9055\u53cd\u3092\u5225\u5165\u53e3\u3067\u63a2\u3059\u3088\u3046\u306b\u306a\u308b\u3002\u3053\u3053\u3067\u8106\u5f31\u6027\u7ba1\u7406\u306e\u7126\u70b9\u306f\u3001\u500b\u5225 CVE \u306e\u4e00\u89a7\u304b\u3089\u3001\u8106\u5f31\u6027\u30af\u30e9\u30b9\u3001\u653b\u6483\u9762\u3001\u5230\u9054\u53ef\u80fd\u6027\u3001\u4e0d\u5909\u6761\u4ef6\u306e\u7834\u308c\u3078\u79fb\u308b\u3002<\/p>\n\n\n\n\n\n\n\n\n
\u533a\u5206<\/th>\n\u610f\u5473<\/th>\n\u4eca\u56de\u306e\u4f8b<\/th>\n\u904b\u7528\u4e0a\u306e\u542b\u610f<\/th>\n<\/tr>\n<\/thead>\n
AI \u304c\u76f4\u63a5\u898b\u3064\u3051\u305f\u8106\u5f31\u6027<\/td>\nAI system \u3084 AI \u652f\u63f4\u63a2\u7d22\u304c\u3001\u5177\u4f53\u7684\u306a\u8106\u5f31\u6027\u306e\u767a\u898b\u7d4c\u8def\u3068\u3057\u3066\u8aac\u660e\u3055\u308c\u3066\u3044\u308b\u3082\u306e\u3002<\/td>\nCopy Fail \u306f Theori \u306e Xint Code \u306b\u3088\u308b\u63a2\u7d22\u304c\u767a\u898b\u7d4c\u8def\u3068\u3057\u3066\u8aac\u660e\u3055\u308c\u3066\u3044\u308b\u3002<\/td>\nAI \u306b\u3088\u308a\u3001\u5f93\u6765\u3088\u308a\u77ed\u6642\u9593\u3067\u6df1\u3044\u30b3\u30fc\u30c9\u7d4c\u8def\u306e\u5f31\u70b9\u304c\u8868\u9762\u5316\u3057\u5f97\u308b\u3002<\/td>\n<\/tr>\n
AI \u304c\u898b\u3064\u3051\u3084\u3059\u304f\u3057\u305f\u8106\u5f31\u6027<\/td>\nAI \u304c\u76f4\u63a5\u767a\u898b\u3057\u305f\u3068\u306f\u9650\u3089\u306a\u3044\u304c\u3001AI \u306b\u3088\u3063\u3066\u53ef\u8996\u5316\u3055\u308c\u305f bug class \u306e\u6a2a\u5c55\u958b\u3068\u3057\u3066\u8abf\u67fb\u5bfe\u8c61\u306b\u306a\u308a\u3084\u3059\u3044\u3082\u306e\u3002<\/td>\nDirty Frag \u306f AI \u767a\u898b\u3068\u306f\u65ad\u5b9a\u3067\u304d\u306a\u3044\u304c\u3001Copy Fail \u3068\u540c\u3058 page cache write bug class \u306e\u5225\u5165\u53e3\u3068\u3057\u3066\u8aad\u3081\u308b\u3002<\/td>\n\u4e00\u3064\u306e\u767a\u898b\u304c\u3001\u540c\u3058\u4e0d\u5909\u6761\u4ef6\u9055\u53cd\u3092\u6301\u3064\u5225\u30b5\u30d6\u30b7\u30b9\u30c6\u30e0\u306e\u63a2\u7d22\u3078\u6ce2\u53ca\u3059\u308b\u3002<\/td>\n<\/tr>\n
AI \u304c\u5897\u5e45\u3059\u308b\u89b3\u6e2c\u53ef\u80fd\u6027<\/td>\nAI \u304c\u8106\u5f31\u6027\u3092\u9b54\u6cd5\u306e\u3088\u3046\u306b\u4f5c\u308b\u306e\u3067\u306f\u306a\u304f\u3001\u65e2\u5b58\u306e\u4e0d\u6574\u5408\u3092\u3088\u308a\u901f\u304f\u3001\u5e83\u304f\u3001\u9ad8\u89e3\u50cf\u5ea6\u3067\u898b\u3064\u3051\u3084\u3059\u304f\u3059\u308b\u3053\u3068\u3002<\/td>\nCopy Fail \u3067\u53ef\u8996\u5316\u3055\u308c\u305f\u610f\u5473\u5883\u754c\u306e\u7834\u308c\u304c\u3001Dirty Frag \u306e\u3088\u3046\u306a\u6a2a\u5c55\u958b\u8abf\u67fb\u3092\u4fc3\u3059\u3002<\/td>\nCVE \u5358\u4f4d\u3067\u306f\u306a\u304f\u3001bug class\u3001\u653b\u6483\u9762\u3001\u4e0d\u5909\u6761\u4ef6\u3001\u9732\u51fa\u306e\u610f\u5473\u3092\u898b\u306a\u3051\u308c\u3070\u8ffd\u3044\u3064\u304b\u306a\u304f\u306a\u308b\u3002<\/td>\n<\/tr>\n
AI \u6642\u4ee3\u306e\u9632\u5fa1\u5074\u306e\u8ab2\u984c<\/td>\n\u767a\u898b\u6570\u304c\u5897\u3048\u308b\u3060\u3051\u3067\u306a\u304f\u3001\u540c\u3058\u69cb\u9020\u306e\u6d3e\u751f\u63a2\u7d22\u304c\u901f\u304f\u306a\u308b\u3053\u3068\u306b\u5bfe\u5fdc\u3059\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002<\/td>\nalgif_aead \u3060\u3051\u3092\u585e\u3044\u3067\u3082\u3001xfrm-ESP \u3084 RxRPC \u306e\u3088\u3046\u306a\u5225\u5165\u53e3\u304c\u554f\u984c\u5316\u3057\u5f97\u308b\u3002<\/td>\n\u500b\u5225\u30e2\u30b8\u30e5\u30fc\u30eb\u540d\u3067\u306f\u306a\u304f\u3001\u4e0d\u5909\u6761\u4ef6\u306e\u7834\u308c\u3092\u57fa\u6e96\u306b\u6a2a\u5c55\u958b\u3057\u3066\u8a55\u4fa1\u3059\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u3053\u306e\u70b9\u306f\u3001Claude Mythos \u306b\u3064\u3044\u3066\u306e\u65e2\u7a3f\u3068\u3082\u63a5\u7d9a\u3059\u308b\u3002\u65e2\u7a3f\u3067\u306f\u3001AI \u304c\u4e16\u754c\u3092\u5909\u3048\u305f\u3068\u3044\u3046\u3088\u308a\u3001\u4e16\u754c\u306e\u4e2d\u306b\u65e2\u306b\u5b58\u5728\u3057\u3066\u3044\u305f\u4e0d\u6574\u5408\u3001\u4f9d\u5b58\u95a2\u4fc2\u3001\u610f\u5473\u5883\u754c\u306e\u7834\u308c\u3001\u5236\u5ea6\u4e0a\u306e\u89b3\u6e2c\u9650\u754c\u304c\u3001\u5f93\u6765\u3088\u308a\u901f\u304f\u3001\u5e83\u304f\u3001\u9ad8\u89e3\u50cf\u5ea6\u3067\u9732\u51fa\u3059\u308b\u3088\u3046\u306b\u306a\u3063\u305f\u3068\u6574\u7406\u3057\u305f[32]<\/a>\u3002Copy Fail \u3068 Dirty Frag \u306f\u3001\u305d\u306e\u5909\u5316\u304c Linux kernel security \u306e\u73fe\u5834\u3067\u3069\u306e\u3088\u3046\u306b\u73fe\u308c\u308b\u304b\u3092\u793a\u3059\u9023\u7d9a\u4e8b\u4f8b\u3067\u3042\u308b\u3002AI \u306f\u8106\u5f31\u6027\u3092\u9b54\u6cd5\u306e\u3088\u3046\u306b\u751f\u6210\u3057\u3066\u3044\u308b\u306e\u3067\u306f\u306a\u3044\u3002\u65e2\u306b\u5b58\u5728\u3057\u3066\u3044\u305f\u4e0d\u5909\u6761\u4ef6\u9055\u53cd\u3092\u3001\u3088\u308a\u77ed\u6642\u9593\u3067\u898b\u3064\u3051\u3001\u540c\u3058\u69cb\u9020\u3092\u5225\u9818\u57df\u3078\u5c55\u958b\u3057\u3084\u3059\u304f\u3057\u3066\u3044\u308b\u3002<\/p>\n

\u3057\u305f\u304c\u3063\u3066\u3001Dirty Frag \u8a18\u4e8b\u3067 Claude Mythos \u306e\u8ad6\u70b9\u3092\u5165\u308c\u308b\u610f\u5473\u306f\u3001AI \u8105\u5a01\u8ad6\u3092\u4ed8\u3051\u8db3\u3059\u3053\u3068\u3067\u306f\u306a\u3044\u3002\u3053\u3053\u3067\u5fc5\u8981\u306a\u306e\u306f\u3001AI \u304c\u500b\u5225\u306e\u767a\u898b\u4e3b\u4f53\u3067\u3042\u3063\u305f\u304b\u3069\u3046\u304b\u3088\u308a\u3082\u3001AI \u306b\u3088\u3063\u3066\u89b3\u6e2c\u53ef\u80fd\u6027\u304c\u5909\u308f\u308b\u3068\u3044\u3046\u69cb\u9020\u3092\u6349\u3048\u308b\u3053\u3068\u3067\u3042\u308b\u3002Copy Fail \u306f AI \u304c\u898b\u3064\u3051\u305f\u8106\u5f31\u6027\u3068\u3057\u3066\u4f4d\u7f6e\u3065\u3051\u3089\u308c\u308b\u3002Dirty Frag \u306f AI \u304c\u898b\u3064\u3051\u305f\u3068\u306f\u65ad\u5b9a\u3067\u304d\u306a\u3044\u3002\u3057\u304b\u3057\u3001Dirty Frag \u306f\u3001AI \u6642\u4ee3\u306b\u91cd\u8981\u306b\u306a\u308b\u300c\u4e00\u3064\u306e\u767a\u898b\u304b\u3089 bug class \u3092\u6a2a\u5c55\u958b\u3059\u308b\u300d\u601d\u8003\u305d\u306e\u3082\u306e\u3092\u4f53\u73fe\u3057\u3066\u3044\u308b\u3002<\/p>\n

\u3053\u306e\u7ae0\u3092\u5165\u308c\u308b\u3053\u3068\u3067\u3001\u672c\u7a3f\u306e\u904b\u7528\u4e0a\u306e\u7d50\u8ad6\u3082\u5f37\u304f\u306a\u308b\u3002\u8106\u5f31\u6027\u304c\u5897\u3048\u308b\u6642\u4ee3\u306b\u5fc5\u8981\u306a\u306e\u306f\u3001CVE \u3092\u591a\u304f\u77e5\u308b\u3053\u3068\u3060\u3051\u3067\u306f\u306a\u3044\u3002AI \u306b\u3088\u3063\u3066\u4e00\u3064\u306e\u610f\u5473\u5883\u754c\u306e\u7834\u308c\u304c\u898b\u3064\u304b\u3063\u305f\u3068\u304d\u3001\u305d\u306e\u7834\u308c\u304c\u3069\u306e\u30b5\u30d6\u30b7\u30b9\u30c6\u30e0\u3001\u3069\u306e\u6700\u9069\u5316\u3001\u3069\u306e\u5171\u6709\u69cb\u9020\u3001\u3069\u306e\u5b9f\u884c\u6587\u8108\u3078\u6a2a\u5c55\u958b\u3057\u5f97\u308b\u304b\u3092\u8003\u3048\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002Dirty Frag \u306f\u3001Copy Fail \u306e\u5f8c\u306b\u73fe\u308c\u305f\u5225\u540d\u306e\u8106\u5f31\u6027\u3067\u306f\u306a\u304f\u3001AI \u6642\u4ee3\u306b\u304a\u3051\u308b\u8106\u5f31\u6027\u7406\u89e3\u306e\u5358\u4f4d\u304c\u3001\u500b\u5225 CVE \u304b\u3089\u4e0d\u5909\u6761\u4ef6\u306e\u7834\u308c\u3078\u79fb\u308b\u3053\u3068\u3092\u793a\u3059\u4e8b\u4f8b\u3067\u3042\u308b\u3002<\/p>\n

\n

21. Debian \/ Ubuntu \u904b\u7528\u306e\u8a71\u306f\u904e\u53bb\u8a18\u4e8b\u3068\u3082\u63a5\u7d9a\u3059\u308b<\/h2>\n

Debian \u3068 Ubuntu \u306e\u5bfe\u5fdc\u5dee\u306f\u3001\u5358\u306a\u308b\u597d\u304d\u5acc\u3044\u306e\u554f\u984c\u3067\u306f\u306a\u3044\u3002Dirty Frag \u306e\u3088\u3046\u306a kernel LPE \u3067\u306f\u3001\u30c7\u30a3\u30b9\u30c8\u30ea\u30d3\u30e5\u30fc\u30b7\u30e7\u30f3\u306e\u9055\u3044\u306f\u3001\u4fee\u6b63\u6e08\u307f kernel \u304c\u3044\u3064\u63d0\u4f9b\u3055\u308c\u308b\u304b\u3001CVE tracker \u304c\u3069\u306e\u7c92\u5ea6\u3067\u72b6\u614b\u3092\u793a\u3059\u304b\u3001\u66ab\u5b9a mitigation \u304c\u3069\u306e\u7a0b\u5ea6\u5177\u4f53\u7684\u306b\u6848\u5185\u3055\u308c\u308b\u304b\u3001\u518d\u8d77\u52d5\u307e\u3067\u306e\u904b\u7528\u3092\u3069\u3046\u7d44\u307f\u7acb\u3066\u308b\u304b\u3068\u3044\u3046\u5dee\u3068\u3057\u3066\u73fe\u308c\u308b\u3002\u3053\u308c\u306f\u3001\u65e5\u5e38\u7684\u306a\u30d1\u30c3\u30b1\u30fc\u30b8\u9078\u597d\u3067\u306f\u306a\u304f\u3001\u8106\u5f31\u6027\u516c\u958b\u5f8c\u306e\u72b6\u614b\u9077\u79fb\u3092\u3069\u3046\u7ba1\u7406\u3059\u308b\u304b\u3068\u3044\u3046\u554f\u984c\u3067\u3042\u308b\u3002<\/p>\n

Ubuntu 26.04 LTS \u306e\u8a2d\u8a08\u3068\u904b\u7528\u5224\u65ad\u306b\u3064\u3044\u3066\u306f\u3001\u65e2\u7a3f\u3067\u3001OS \u306e\u63a1\u7528\u5224\u65ad\u3092\u6a5f\u80fd\u4e00\u89a7\u3067\u306f\u306a\u304f\u3001\u4fdd\u5b88\u671f\u9593\u3001\u66f4\u65b0\u30e2\u30c7\u30eb\u3001\u4e92\u63db\u6027\u3001\u904b\u7528\u30ea\u30b9\u30af\u3001\u5fa9\u65e7\u53ef\u80fd\u6027\u3092\u542b\u3080\u72b6\u614b\u9077\u79fb\u3068\u3057\u3066\u6349\u3048\u305f[33]<\/a>\u3002Dirty Frag \u3067\u3082\u540c\u3058\u3067\u3042\u308b\u3002\u91cd\u8981\u306a\u306e\u306f\u3001\u3042\u308b\u30c7\u30a3\u30b9\u30c8\u30ea\u30d3\u30e5\u30fc\u30b7\u30e7\u30f3\u304c\u597d\u307f\u304b\u3069\u3046\u304b\u3067\u306f\u306a\u3044\u3002\u305d\u306e OS \u3092\u4f7f\u3046\u3053\u3068\u3067\u3001\u8106\u5f31\u6027\u60c5\u5831\u3092\u3069\u306e\u901f\u5ea6\u3067\u53d7\u3051\u53d6\u308a\u3001\u4fee\u6b63\u6e08\u307f kernel \u3092\u3069\u306e\u7d4c\u8def\u3067\u53d6\u5f97\u3057\u3001\u66ab\u5b9a\u7b56\u3092\u3069\u306e\u7cbe\u5ea6\u3067\u9069\u7528\u3057\u3001\u3069\u306e\u30bf\u30a4\u30df\u30f3\u30b0\u3067 reboot \u3057\u3001\u3069\u306e\u65b9\u6cd5\u3067\u4fee\u6b63\u6e08\u307f kernel \u3067\u8d77\u52d5\u3057\u3066\u3044\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3067\u304d\u308b\u304b\u3067\u3042\u308b\u3002<\/p>\n\n\n\n\n\n\n\n\n\n
\u89b3\u70b9<\/th>\n\u8868\u9762\u7684\u306a\u898b\u65b9<\/th>\n\u904b\u7528\u4e0a\u306e\u898b\u65b9<\/th>\nDirty Frag \u3067\u306e\u610f\u5473<\/th>\n<\/tr>\n<\/thead>\n
\u30c7\u30a3\u30b9\u30c8\u30ea\u30d3\u30e5\u30fc\u30b7\u30e7\u30f3\u9078\u597d<\/td>\nDebian \u304c\u597d\u304d\u304b\u3001Ubuntu \u304c\u597d\u304d\u304b\u3068\u3044\u3046\u5370\u8c61\u3067\u5224\u65ad\u3059\u308b\u3002<\/td>\n\u4fee\u6b63\u63d0\u4f9b\u3001CVE \u60c5\u5831\u3001\u4e92\u63db\u6027\u3001\u518d\u8d77\u52d5\u8a08\u753b\u3001\u5fa9\u65e7\u78ba\u8a8d\u3092\u542b\u3080\u72b6\u614b\u9077\u79fb\u3068\u3057\u3066\u5224\u65ad\u3059\u308b\u3002<\/td>\n\u597d\u307f\u3067\u306f\u306a\u304f\u3001\u8106\u5f31\u6027\u5bfe\u5fdc\u306e\u904b\u7528\u7d4c\u8def\u304c\u5b89\u5b9a\u3057\u3066\u3044\u308b\u304b\u304c\u554f\u984c\u306b\u306a\u308b\u3002<\/td>\n<\/tr>\n
CVE tracker<\/td>\nfixed\u3001needed\u3001needs evaluation \u306a\u3069\u306e\u8868\u793a\u3060\u3051\u3092\u898b\u308b\u3002<\/td>\n\u81ea\u5206\u306e kernel package\u3001release\u3001repository\u3001\u9069\u7528\u6e08\u307f\u72b6\u614b\u3068\u7167\u5408\u3059\u308b\u3002<\/td>\ntracker \u4e0a\u306e\u72b6\u614b\u3068\u3001\u81ea\u5206\u306e host \u304c\u5b9f\u969b\u306b\u5b89\u5168\u304b\u3069\u3046\u304b\u306f\u5225\u3067\u3042\u308b\u3002<\/td>\n<\/tr>\n
\u66ab\u5b9a mitigation<\/td>\n\u6848\u5185\u3055\u308c\u305f module \u3092\u7121\u52b9\u5316\u3059\u308c\u3070\u3088\u3044\u3068\u8003\u3048\u308b\u3002<\/td>\n\u305d\u306e module \u3092\u5b9f\u969b\u306b\u4f7f\u3063\u3066\u3044\u308b\u304b\u3001\u6a5f\u80fd\u5f71\u97ff\u304c\u3042\u308b\u304b\u3001\u4fee\u6b63\u6e08\u307f kernel \u307e\u3067\u306e\u6642\u9593\u7a3c\u304e\u306b\u306a\u308b\u304b\u3092\u898b\u308b\u3002<\/td>\nesp4\u3001esp6\u3001rxrpc \u306e\u7121\u52b9\u5316\u306f\u74b0\u5883\u306b\u3088\u3063\u3066\u5f71\u97ff\u304c\u5909\u308f\u308b\u3002<\/td>\n<\/tr>\n
kernel update<\/td>\npackage \u3092\u66f4\u65b0\u3057\u305f\u6642\u70b9\u3067\u5bfe\u5fdc\u5b8c\u4e86\u3068\u8003\u3048\u308b\u3002<\/td>\n\u66f4\u65b0\u5f8c\u306b reboot \u3057\u3001\u8d77\u52d5\u4e2d kernel \u304c\u4fee\u6b63\u6e08\u307f\u3067\u3042\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/td>\n\u66f4\u65b0\u6e08\u307f package \u304c\u5b58\u5728\u3057\u3066\u3082\u3001\u65e7 kernel \u3067\u52d5\u3044\u3066\u3044\u308c\u3070\u8106\u5f31\u6027\u306f\u6b8b\u308b\u3002<\/td>\n<\/tr>\n
\u5fa9\u65e7\u5224\u65ad<\/td>\n\u30c7\u30a3\u30b9\u30af\u4e0a\u306e\u30d5\u30a1\u30a4\u30eb\u3084 package \u72b6\u614b\u304c\u6b63\u5e38\u306a\u3089\u5b89\u5168\u3068\u8003\u3048\u308b\u3002<\/td>\npage cache\u3001\u5b9f\u884c\u4e2d kernel\u3001\u30ed\u30fc\u30c9\u6e08\u307f module\u3001\u4fb5\u5bb3\u53ef\u80fd\u6027\u3001\u30ed\u30b0\u78ba\u8a8d\u307e\u3067\u542b\u3081\u3066\u5224\u65ad\u3059\u308b\u3002<\/td>\nDirty Frag \u306f\u5b9f\u884c\u6642\u72b6\u614b\u306e\u6c5a\u67d3\u3092\u542b\u3080\u305f\u3081\u3001\u9759\u7684\u306a\u6574\u5408\u6027\u78ba\u8a8d\u3060\u3051\u3067\u306f\u8db3\u308a\u306a\u3044\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u3042\u308b\u30c7\u30a3\u30b9\u30c8\u30ea\u30d3\u30e5\u30fc\u30b7\u30e7\u30f3\u304c\u901f\u304f fixed kernel \u3092\u51fa\u3059\u304b\u3001CVE tracker \u3067 Needs evaluation \u3068\u8868\u793a\u3055\u308c\u308b\u304b\u3001\u66ab\u5b9a mitigation \u3092\u3069\u306e\u7c92\u5ea6\u3067\u6848\u5185\u3059\u308b\u304b\u306f\u3001\u904b\u7528\u4e0a\u306e\u5dee\u3068\u3057\u3066\u73fe\u308c\u308b\u3002\u3057\u304b\u3057\u3001\u305d\u308c\u306f Dirty Frag \u306e\u672c\u8cea\u3067\u306f\u306a\u3044\u3002\u672c\u8cea\u306f\u3001\u8106\u5f31\u306a\u51e6\u7406\u7d4c\u8def\u304c\u4fee\u6b63\u3055\u308c\u305f kernel \u306b\u79fb\u884c\u3057\u3001\u305d\u306e kernel \u3067\u5b9f\u969b\u306b\u8d77\u52d5\u3057\u3066\u3044\u308b\u304b\u3069\u3046\u304b\u3067\u3042\u308b\u3002\u914d\u5e03\u5143\u306e\u60c5\u5831\u306f\u3001\u305d\u306e\u72b6\u614b\u3078\u5230\u9054\u3059\u308b\u305f\u3081\u306e\u7d4c\u8def\u3092\u4e0e\u3048\u308b\u306b\u3059\u304e\u306a\u3044\u3002<\/p>\n

\u3057\u305f\u304c\u3063\u3066\u3001Dirty Frag \u306f Debian \u3068 Ubuntu \u306e\u512a\u52a3\u3060\u3051\u3092\u8ad6\u3058\u308b\u6750\u6599\u3067\u306f\u306a\u3044\u3002\u3080\u3057\u308d\u3001OS \u904b\u7528\u3068\u306f\u3001\u8106\u5f31\u6027\u516c\u958b\u3001\u30d1\u30c3\u30b1\u30fc\u30b8\u63d0\u4f9b\u3001\u66ab\u5b9a\u56de\u907f\u3001\u6a5f\u80fd\u5f71\u97ff\u8a55\u4fa1\u3001\u518d\u8d77\u52d5\u3001\u8d77\u52d5\u78ba\u8a8d\u3001\u5fc5\u8981\u306a\u3089\u5fa9\u65e7\u78ba\u8a8d\u307e\u3067\u3092\u542b\u3080\u66f4\u65b0\u904e\u7a0b\u3067\u3042\u308b\u3053\u3068\u3092\u793a\u3057\u3066\u3044\u308b\u3002\u3053\u306e\u610f\u5473\u3067\u3001Dirty Frag \u306f OS \u9078\u5b9a\u8ad6\u3068\u8106\u5f31\u6027\u5bfe\u5fdc\u8ad6\u3092\u63a5\u7d9a\u3059\u308b\u4e8b\u4f8b\u3067\u3042\u308b\u3002OS \u306f\u5c0e\u5165\u3057\u305f\u6642\u70b9\u3067\u5b89\u5168\u306b\u306a\u308b\u3082\u306e\u3067\u306f\u306a\u304f\u3001\u8106\u5f31\u6027\u60c5\u5831\u306b\u5fdc\u3058\u3066\u72b6\u614b\u3092\u66f4\u65b0\u3057\u7d9a\u3051\u308b\u904b\u7528\u5bfe\u8c61\u3067\u3042\u308b\u3002<\/p>\n

\n

22. \u5fa9\u65e7\u53ef\u80fd\u6027\u3082\u5b89\u5168\u6027\u306e\u4e00\u90e8\u3067\u3042\u308b<\/h2>\n

Dirty Frag \u3067\u306f\u3001page cache \u6c5a\u67d3\u304c drop_caches \u307e\u305f\u306f reboot \u307e\u3067\u6b8b\u308a\u5f97\u308b\u3068\u3044\u3046\u70b9\u304c\u91cd\u8981\u3067\u3042\u308b[15]<\/a>\u3002\u3053\u308c\u306f\u3001\u5358\u306b exploit \u3092\u9632\u3052\u3070\u3088\u3044\u3068\u3044\u3046\u8a71\u3067\u306f\u306a\u3044\u3002\u6c5a\u67d3\u3055\u308c\u305f\u5b9f\u884c\u6642\u72b6\u614b\u3092\u3069\u3046\u6d88\u3059\u304b\u3001\u3069\u306e\u6642\u70b9\u304b\u3089\u5b89\u5168\u3068\u307f\u306a\u3059\u304b\u3001\u3069\u306e\u624b\u9806\u3067\u78ba\u8a8d\u3059\u308b\u304b\u3068\u3044\u3046\u5fa9\u65e7\u53ef\u80fd\u6027\u306e\u554f\u984c\u3067\u3082\u3042\u308b\u3002\u8106\u5f31\u6027\u5bfe\u5fdc\u306f\u3001\u4fb5\u5165\u9632\u6b62\u3060\u3051\u3067\u306f\u5b8c\u7d50\u3057\u306a\u3044\u3002\u3059\u3067\u306b\u6c5a\u67d3\u3055\u308c\u305f\u53ef\u80fd\u6027\u306e\u3042\u308b\u72b6\u614b\u3092\u3001\u3069\u306e\u3088\u3046\u306b\u6b63\u5e38\u72b6\u614b\u3078\u623b\u3059\u304b\u307e\u3067\u542b\u3081\u3066\u8003\u3048\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002<\/p>\n

\u30d0\u30c3\u30af\u30a2\u30c3\u30d7\u306b\u3064\u3044\u3066\u306e\u65e2\u7a3f\u3067\u306f\u3001\u5b89\u5168\u3068\u306f\u4fdd\u5b58\u3057\u3066\u3044\u308b\u3053\u3068\u3067\u306f\u306a\u304f\u3001\u5fa9\u5143\u53ef\u80fd\u6027\u3092\u8a2d\u8a08\u3059\u308b\u3053\u3068\u3067\u3042\u308b\u3068\u6574\u7406\u3057\u305f[34]<\/a>\u3002Dirty Frag \u3067\u3082\u540c\u3058\u3067\u3042\u308b\u3002\u8106\u5f31\u6027\u5bfe\u5fdc\u3068\u306f\u3001\u30d1\u30c3\u30b1\u30fc\u30b8\u66f4\u65b0\u30b3\u30de\u30f3\u30c9\u3092\u6253\u3064\u3053\u3068\u3060\u3051\u3067\u306f\u306a\u3044\u3002\u4fee\u6b63\u6e08\u307f kernel \u3067\u8d77\u52d5\u3057\u3066\u3044\u308b\u304b\u3001\u6c5a\u67d3\u72b6\u614b\u304c\u6b8b\u3063\u3066\u3044\u306a\u3044\u304b\u3001\u6a5f\u80fd\u5f71\u97ff\u304c\u306a\u3044\u304b\u3001\u5fc5\u8981\u306a\u3089\u30ed\u30b0\u3068\u76e3\u67fb\u60c5\u5831\u3067\u4fb5\u5bb3\u53ef\u80fd\u6027\u3092\u78ba\u8a8d\u3059\u308b\u3053\u3068\u307e\u3067\u542b\u3080\u3002\u3064\u307e\u308a\u3001\u5b89\u5168\u6027\u306f\u3001\u4fee\u6b63\u306e\u6709\u7121\u3067\u306f\u306a\u304f\u3001\u5b89\u5168\u306a\u72b6\u614b\u3078\u623b\u308c\u308b\u304b\u3069\u3046\u304b\u3067\u3082\u6c7a\u307e\u308b\u3002<\/p>\n\n\n\n\n\n\n\n\n\n
\u5fa9\u65e7\u89b3\u70b9<\/th>\n\u898b\u308b\u3079\u304d\u5bfe\u8c61<\/th>\nDirty Frag \u3067\u306e\u610f\u5473<\/th>\n\u4e0d\u5341\u5206\u306a\u5224\u65ad<\/th>\n<\/tr>\n<\/thead>\n
\u4fee\u6b63\u72b6\u614b<\/td>\n\u914d\u5e03\u5143\u304c\u63d0\u4f9b\u3059\u308b\u4fee\u6b63\u6e08\u307f kernel package \u3068\u9069\u7528\u72b6\u6cc1\u3092\u898b\u308b\u3002<\/td>\n\u8106\u5f31\u306a\u51e6\u7406\u7d4c\u8def\u305d\u306e\u3082\u306e\u304c\u4fee\u6b63\u3055\u308c\u3066\u3044\u308b\u304b\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/td>\n\u66f4\u65b0\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u305f\u3060\u3051\u3067\u5bfe\u5fdc\u5b8c\u4e86\u3068\u307f\u306a\u3059\u3002<\/td>\n<\/tr>\n
\u8d77\u52d5\u72b6\u614b<\/td>\n\u5b9f\u969b\u306b\u52d5\u4f5c\u4e2d\u306e kernel version \u3092\u78ba\u8a8d\u3059\u308b\u3002<\/td>\n\u4fee\u6b63\u6e08\u307f kernel \u3067\u8d77\u52d5\u3057\u3066\u3044\u306a\u3051\u308c\u3070\u3001\u8106\u5f31\u306a kernel \u304c\u6b8b\u308b\u3002<\/td>\npackage \u304c\u5165\u3063\u3066\u3044\u308b\u3053\u3068\u3068\u3001\u5b9f\u884c\u4e2d kernel \u304c\u65b0\u3057\u3044\u3053\u3068\u3092\u6df7\u540c\u3059\u308b\u3002<\/td>\n<\/tr>\n
\u5b9f\u884c\u6642\u72b6\u614b<\/td>\npage cache\u3001\u30ed\u30fc\u30c9\u6e08\u307f module\u3001\u5b9f\u884c\u4e2d process\u3001\u6c5a\u67d3\u53ef\u80fd\u6027\u3092\u898b\u308b\u3002<\/td>\npage cache \u6c5a\u67d3\u304c\u6b8b\u308b\u306a\u3089\u3001\u30c7\u30a3\u30b9\u30af\u4e0a\u306e\u6574\u5408\u6027\u3060\u3051\u3067\u306f\u5b89\u5168\u3092\u78ba\u8a8d\u3067\u304d\u306a\u3044\u3002<\/td>\n\u30d5\u30a1\u30a4\u30eb\u30cf\u30c3\u30b7\u30e5\u304c\u6b63\u5e38\u3067\u3042\u308c\u3070\u5b9f\u884c\u6642\u3082\u5b89\u5168\u3060\u3068\u307f\u306a\u3059\u3002<\/td>\n<\/tr>\n
\u6a5f\u80fd\u5f71\u97ff<\/td>\nIPsec ESP\u3001AFS\u3001RxRPC\u3001\u95a2\u9023\u30b5\u30fc\u30d3\u30b9\u3078\u306e\u5f71\u97ff\u3092\u898b\u308b\u3002<\/td>\nmodule \u7121\u52b9\u5316\u3084 kernel \u66f4\u65b0\u306b\u3088\u3063\u3066\u5fc5\u8981\u6a5f\u80fd\u304c\u58ca\u308c\u3066\u3044\u306a\u3044\u304b\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/td>\n\u66ab\u5b9a mitigation \u3092\u9069\u7528\u3057\u305f\u3060\u3051\u3067\u696d\u52d9\u5f71\u97ff\u3092\u78ba\u8a8d\u3057\u306a\u3044\u3002<\/td>\n<\/tr>\n
\u4fb5\u5bb3\u78ba\u8a8d<\/td>\n\u4f4e\u6a29\u9650\u5b9f\u884c\u7d4c\u8def\u3001\u30ed\u30b0\u3001\u76e3\u67fb\u60c5\u5831\u3001\u7570\u5e38\u306a\u6a29\u9650\u6607\u683c\u75d5\u8de1\u3092\u898b\u308b\u3002<\/td>\nLPE \u306f\u4fb5\u5165\u5f8c\u306e\u5897\u5e45\u5668\u306a\u306e\u3067\u3001\u65e2\u5b58\u306e\u4fb5\u5165\u53e3\u3068\u7d44\u307f\u5408\u308f\u305b\u3066\u8a55\u4fa1\u3059\u308b\u3002<\/td>\nDirty Frag \u304c remote exploit \u3067\u306f\u306a\u3044\u3053\u3068\u3060\u3051\u3092\u7406\u7531\u306b\u8abf\u67fb\u4e0d\u8981\u3068\u307f\u306a\u3059\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u7269\u7406\u5a92\u4f53\u7ba1\u7406\u306b\u95a2\u3059\u308b\u65e2\u7a3f\u3067\u3082\u3001\u60c5\u5831\u306f\u62bd\u8c61\u7684\u306b\u898b\u3048\u3066\u3082\u3001\u5b9f\u969b\u306b\u306f\u5a92\u4f53\u3001\u30d5\u30a1\u30a4\u30eb\u30b7\u30b9\u30c6\u30e0\u3001\u7b26\u53f7\u5316\u3001\u9375\u3001\u5fa9\u5143\u624b\u9806\u306b\u4f9d\u5b58\u3059\u308b\u3068\u6574\u7406\u3057\u305f[35]<\/a>\u3002Dirty Frag \u3067\u306f\u3001\u60c5\u5831\u306f\u30c7\u30a3\u30b9\u30af\u4e0a\u306e\u30d5\u30a1\u30a4\u30eb\u3060\u3051\u3067\u306a\u304f\u3001page cache \u3068\u3044\u3046\u5b9f\u884c\u6642\u5a92\u4f53\u306b\u3082\u5b58\u5728\u3059\u308b\u3002\u3057\u305f\u304c\u3063\u3066\u3001\u30c7\u30a3\u30b9\u30af\u4e0a\u306e\u6574\u5408\u6027\u3060\u3051\u3092\u898b\u3066\u3082\u3001\u5b9f\u884c\u6642\u5b89\u5168\u6027\u3092\u5b8c\u5168\u306b\u306f\u898b\u305f\u3053\u3068\u306b\u306a\u3089\u306a\u3044\u3002\u3053\u308c\u306f\u3001\u5a92\u4f53\u7ba1\u7406\u306e\u554f\u984c\u304c\u3001\u30b9\u30c8\u30ec\u30fc\u30b8\u3060\u3051\u3067\u306a\u304f\u30e1\u30e2\u30ea\u4e0a\u306e\u5b9f\u884c\u6642\u72b6\u614b\u306b\u3082\u62e1\u5f35\u3055\u308c\u308b\u3053\u3068\u3092\u793a\u3057\u3066\u3044\u308b\u3002<\/p>\n

\u3057\u305f\u304c\u3063\u3066\u3001\u5fa9\u65e7\u53ef\u80fd\u6027\u306f Dirty Frag \u5bfe\u5fdc\u306e\u4e00\u90e8\u3067\u3042\u308b\u3002\u4fee\u6b63\u6e08\u307f kernel \u3092\u5165\u308c\u308b\u3053\u3068\u3001\u518d\u8d77\u52d5\u3059\u308b\u3053\u3068\u3001\u8d77\u52d5\u4e2d kernel \u3092\u78ba\u8a8d\u3059\u308b\u3053\u3068\u3001\u5fc5\u8981\u306a\u3089 page cache \u3092\u6368\u3066\u308b\u3053\u3068\u3001\u6a5f\u80fd\u5f71\u97ff\u3092\u78ba\u8a8d\u3059\u308b\u3053\u3068\u3001\u4fb5\u5bb3\u53ef\u80fd\u6027\u3092\u8abf\u3079\u308b\u3053\u3068\u306f\u3001\u305d\u308c\u305e\u308c\u5225\u306e\u4f5c\u696d\u3067\u306f\u306a\u304f\u3001\u5b89\u5168\u306a\u72b6\u614b\u3078\u623b\u308b\u305f\u3081\u306e\u9023\u7d9a\u3057\u305f\u624b\u9806\u3067\u3042\u308b\u3002\u5b89\u5168\u3068\u306f\u3001\u5358\u306b\u8106\u5f31\u6027\u304c\u5b58\u5728\u3057\u306a\u3044\u72b6\u614b\u3067\u306f\u306a\u3044\u3002\u8106\u5f31\u6027\u304c\u5b58\u5728\u3057\u3001\u60c5\u5831\u304c\u516c\u958b\u3055\u308c\u3001\u653b\u6483\u53ef\u80fd\u6027\u304c\u793a\u3055\u308c\u305f\u3042\u3068\u3067\u3082\u3001\u7406\u89e3\u53ef\u80fd\u306a\u624b\u9806\u3067\u6b63\u5e38\u72b6\u614b\u3078\u623b\u308c\u308b\u3053\u3068\u3067\u3042\u308b\u3002<\/p>\n

\n

23. \u610f\u5473\u306f\u5dee\u7570\u306e\u8aad\u307f\u53d6\u308a\u304b\u3089\u751f\u307e\u308c\u308b<\/h2>\n

\u4eca\u56de\u306e\u8b70\u8ad6\u3067\u300c\u610f\u5473\u300d\u3068\u3044\u3046\u8a9e\u3092\u4f7f\u3046\u306e\u306f\u3001\u6bd4\u55a9\u3067\u306f\u306a\u3044\u3002\u610f\u5473\u306f\u3001byte \u5217\u304c\u3069\u306e\u6587\u8108\u3067\u8aad\u307e\u308c\u3001\u3069\u306e\u5dee\u7570\u3068\u3057\u3066\u6271\u308f\u308c\u3001\u3069\u306e\u5f8c\u7d9a\u66f4\u65b0\u3078\u63a5\u7d9a\u3055\u308c\u308b\u304b\u306b\u3088\u3063\u3066\u6210\u7acb\u3059\u308b\u3002\u610f\u5473\u306f\u5dee\u7570\u306e\u8aad\u307f\u53d6\u308a\u304b\u3089\u751f\u307e\u308c\u308b\u3068\u3044\u3046\u65e2\u7a3f\u306e\u6574\u7406\u306f\u3001\u3053\u3053\u306b\u63a5\u7d9a\u3059\u308b[36]<\/a>\u3002\u540c\u3058 byte \u5217\u3067\u3042\u3063\u3066\u3082\u3001\u305d\u308c\u3092\u8aad\u3080\u4e3b\u4f53\u3001\u8aad\u3080\u6a29\u9650\u6587\u8108\u3001\u8aad\u3080\u76ee\u7684\u3001\u8aad\u3080\u30bf\u30a4\u30df\u30f3\u30b0\u304c\u5909\u308f\u308c\u3070\u3001\u30b7\u30b9\u30c6\u30e0\u4e0a\u306e\u610f\u5473\u306f\u5909\u308f\u308b\u3002<\/p>\n

\u540c\u3058 byte \u5217\u3067\u3082\u3001\u4e00\u822c\u30e6\u30fc\u30b6\u30fc\u304c\u8aad\u3080\u306a\u3089\u5358\u306a\u308b\u30d5\u30a1\u30a4\u30eb\u5185\u5bb9\u3067\u3042\u308b\u3002setuid root \u30d0\u30a4\u30ca\u30ea\u3068\u3057\u3066 loader \u3084 CPU \u304c\u8aad\u3080\u306a\u3089\u3001\u7279\u6a29\u5b9f\u884c\u306e\u547d\u4ee4\u5217\u306b\u306a\u308b\u3002PAM \u3084 sudo \u304c\u8aad\u3080\u306a\u3089\u3001\u8a8d\u8a3c\u3084\u6a29\u9650\u5224\u65ad\u306e\u4e00\u90e8\u306b\u306a\u308b\u3002\u5171\u6709\u30e9\u30a4\u30d6\u30e9\u30ea\u3068\u3057\u3066\u8aad\u307e\u308c\u308b\u306a\u3089\u3001\u8907\u6570\u306e\u5b9f\u884c\u30d7\u30ed\u30bb\u30b9\u306b\u5f71\u97ff\u3059\u308b\u5171\u901a\u30b3\u30fc\u30c9\u306b\u306a\u308b\u3002\u3064\u307e\u308a\u3001byte \u5217\u306e\u5371\u967a\u6027\u306f\u3001\u305d\u308c\u304c\u3069\u306e\u5b9f\u884c\u6587\u8108\u3067\u610f\u5473\u3092\u6301\u3064\u304b\u306b\u3088\u3063\u3066\u6c7a\u307e\u308b\u3002<\/p>\n\n\n\n\n\n\n\n\n\n
\u540c\u3058 byte \u5217\u304c\u8aad\u307e\u308c\u308b\u6587\u8108<\/th>\n\u6210\u7acb\u3059\u308b\u610f\u5473<\/th>\nDirty Frag \u3067\u306e\u5371\u967a<\/th>\n<\/tr>\n<\/thead>\n
\u4e00\u822c\u30e6\u30fc\u30b6\u30fc\u304c\u901a\u5e38\u30d5\u30a1\u30a4\u30eb\u3068\u3057\u3066\u8aad\u3080\u3002<\/td>\n\u5358\u306a\u308b\u30d5\u30a1\u30a4\u30eb\u5185\u5bb9\u3068\u3057\u3066\u610f\u5473\u3092\u6301\u3064\u3002<\/td>\n\u3053\u306e\u6bb5\u968e\u3067\u306f\u3001\u8aad\u307f\u53d6\u308a\u884c\u70ba\u305d\u306e\u3082\u306e\u306f\u901a\u5e38\u306e\u6a29\u9650\u7bc4\u56f2\u306b\u53ce\u307e\u308b\u3002<\/td>\n<\/tr>\n
page cache \u3068\u3057\u3066\u30e1\u30e2\u30ea\u4e0a\u306b\u4fdd\u6301\u3055\u308c\u308b\u3002<\/td>\n\u30c7\u30a3\u30b9\u30af\u4e0a\u306e\u5185\u5bb9\u3092\u9ad8\u901f\u306b\u518d\u5229\u7528\u3059\u308b\u5b9f\u884c\u6642\u8868\u73fe\u3068\u3057\u3066\u610f\u5473\u3092\u6301\u3064\u3002<\/td>\n\u3053\u3053\u304c\u6c5a\u67d3\u3055\u308c\u308b\u3068\u3001\u30c7\u30a3\u30b9\u30af\u4e0a\u306e\u30d5\u30a1\u30a4\u30eb\u304c\u7121\u50b7\u3067\u3082\u5b9f\u884c\u6642\u5185\u5bb9\u304c\u5909\u308f\u308b\u3002<\/td>\n<\/tr>\n
setuid root \u30d0\u30a4\u30ca\u30ea\u3068\u3057\u3066\u5b9f\u884c\u3055\u308c\u308b\u3002<\/td>\nroot \u6a29\u9650\u3067\u5b9f\u884c\u3055\u308c\u308b\u547d\u4ee4\u5217\u3068\u3057\u3066\u610f\u5473\u3092\u6301\u3064\u3002<\/td>\n\u6c5a\u67d3\u3055\u308c\u305f\u547d\u4ee4\u5217\u304c root \u6587\u8108\u3067\u8aad\u307e\u308c\u308c\u3070 LPE \u306b\u63a5\u7d9a\u3059\u308b\u3002<\/td>\n<\/tr>\n
PAM\u3001sudo\u3001\u8a8d\u8a3c\u51e6\u7406\u304b\u3089\u8aad\u307e\u308c\u308b\u3002<\/td>\n\u8a8d\u8a3c\u3001\u6a29\u9650\u5224\u5b9a\u3001\u5b9f\u884c\u53ef\u5426\u3092\u5de6\u53f3\u3059\u308b\u60c5\u5831\u3068\u3057\u3066\u610f\u5473\u3092\u6301\u3064\u3002<\/td>\n\u6c5a\u67d3\u3055\u308c\u305f\u5185\u5bb9\u304c\u6a29\u9650\u5224\u65ad\u3092\u5909\u3048\u308b\u53ef\u80fd\u6027\u304c\u3042\u308b\u3002<\/td>\n<\/tr>\n
\u5171\u6709\u30e9\u30a4\u30d6\u30e9\u30ea\u3084 dynamic loader \u3068\u3057\u3066\u8aad\u307e\u308c\u308b\u3002<\/td>\n\u8907\u6570\u30d7\u30ed\u30bb\u30b9\u304c\u5171\u6709\u3059\u308b\u5b9f\u884c\u6642\u30b3\u30fc\u30c9\u3084\u30ed\u30fc\u30c9\u51e6\u7406\u3068\u3057\u3066\u610f\u5473\u3092\u6301\u3064\u3002<\/td>\n\u4e00\u3064\u306e page cache \u6c5a\u67d3\u304c\u8907\u6570\u306e\u5b9f\u884c\u6587\u8108\u3078\u6ce2\u53ca\u3057\u5f97\u308b\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Dirty Frag \u306e\u5371\u967a\u306f\u3001byte \u5217\u3092\u5909\u3048\u305f\u3053\u3068\u3060\u3051\u306b\u3042\u308b\u306e\u3067\u306f\u306a\u3044\u3002\u3088\u308a\u6b63\u78ba\u306b\u306f\u3001\u5f8c\u7d9a\u6587\u8108\u3067\u8aad\u307e\u308c\u308b\u610f\u5473\u3092\u5909\u3048\u305f\u3053\u3068\u306b\u3042\u308b\u3002\u30c7\u30a3\u30b9\u30af\u4e0a\u306e\u30d5\u30a1\u30a4\u30eb\u304c\u540c\u3058\u3067\u3082\u3001page cache \u4e0a\u306e\u5185\u5bb9\u304c\u5909\u308f\u308c\u3070\u3001\u5b9f\u884c\u6642\u306b\u8aad\u307e\u308c\u308b\u5dee\u7570\u306f\u5909\u308f\u308b\u3002\u305d\u306e\u5dee\u7570\u304c root \u6587\u8108\u306e\u547d\u4ee4\u5217\u3001\u8a8d\u8a3c\u5224\u65ad\u3001\u5171\u6709\u30b3\u30fc\u30c9\u3068\u3057\u3066\u89e3\u91c8\u3055\u308c\u308c\u3070\u3001\u4f4e\u6a29\u9650\u30e6\u30fc\u30b6\u30fc\u306e\u8aad\u307f\u53d6\u308a\u64cd\u4f5c\u304c\u3001\u7279\u6a29\u6587\u8108\u306e\u52d5\u4f5c\u5909\u66f4\u3078\u63a5\u7d9a\u3059\u308b\u3002<\/p>\n

\u3053\u308c\u304c\u3001\u5b9f\u884c\u6642\u610f\u5473\u306e\u6c5a\u67d3\u3067\u3042\u308b\u3002\u610f\u5473\u306f byte \u5217\u5358\u4f53\u306b\u9589\u3058\u3066\u3044\u306a\u3044\u3002\u610f\u5473\u306f\u3001byte \u5217\u304c\u3069\u3053\u304b\u3089\u6765\u3066\u3001\u3069\u306e\u72b6\u614b\u3067\u4fdd\u6301\u3055\u308c\u3001\u3069\u306e\u6587\u8108\u3067\u8aad\u307e\u308c\u3001\u3069\u306e\u5f8c\u7d9a\u51e6\u7406\u3078\u63a5\u7d9a\u3055\u308c\u308b\u304b\u3067\u6c7a\u307e\u308b\u3002Copy Fail \u3068 Dirty Frag \u304c\u5371\u967a\u306a\u306e\u306f\u3001\u8aad\u307f\u53d6\u308a\u5c02\u7528\u306e byte \u5217\u305d\u306e\u3082\u306e\u3067\u306f\u306a\u304f\u3001\u305d\u306e byte \u5217\u304c root \u6587\u8108\u3067\u8aad\u307e\u308c\u308b\u610f\u5473\u3092\u6c5a\u67d3\u3067\u304d\u308b\u304b\u3089\u3067\u3042\u308b\u3002<\/p>\n

\n

24. \u69cb\u9020\u3068\u3057\u3066\u898b\u308b\u3068\u3001\u554f\u984c\u306f\u5883\u754c\u6761\u4ef6\u306e\u4fdd\u5b58\u3067\u3042\u308b<\/h2>\n

\u69cb\u9020\u30fb\u6642\u9593\u30fb\u751f\u547d\u30fb\u610f\u5473\u30fb\u77e5\u80fd\u30fb\u81ea\u5df1\u30fbAI \u3092\u751f\u6210\u9023\u9396\u3068\u3057\u3066\u6574\u7406\u3057\u305f\u65e2\u7a3f\u3067\u306f\u3001\u69cb\u9020\u3092\u5358\u306a\u308b\u5f62\u72b6\u3067\u306f\u306a\u304f\u3001\u8981\u7d20\u9593\u306e\u95a2\u4fc2\u3001\u60c5\u5831\u306e\u6d41\u308c\u3001\u5236\u7d04\u3001\u5883\u754c\u6761\u4ef6\u3001\u5b89\u5b9a\u6027\u3068\u3057\u3066\u6349\u3048\u305f[37]<\/a>\u3002Dirty Frag \u3082\u540c\u3058\u304f\u3001\u500b\u5225\u90e8\u54c1\u306e\u554f\u984c\u3067\u306f\u306a\u304f\u3001\u5883\u754c\u6761\u4ef6\u306e\u4fdd\u5b58\u554f\u984c\u3068\u3057\u3066\u8aad\u3081\u308b\u3002\u3053\u3053\u3067\u3044\u3046\u5883\u754c\u6761\u4ef6\u3068\u306f\u3001read-only\u3001shared\u3001input\u3001unprivileged\u3001root-reachable \u3068\u3044\u3063\u305f\u5b89\u5168\u4e0a\u306e\u5236\u7d04\u3067\u3042\u308b\u3002<\/p>\n

AF_ALG\u3001xfrm-ESP\u3001RxRPC\u3001splice\u3001page cache\u3001skb frag\u3001scatterlist \u306f\u3001\u305d\u308c\u305e\u308c\u5358\u4f53\u3067\u306f\u6b63\u5f53\u306a\u4ed5\u7d44\u307f\u3067\u3042\u308b\u3002AF_ALG \u306f user space \u304b\u3089 kernel crypto API \u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u305f\u3081\u306e\u4ed5\u7d44\u307f\u3067\u3042\u308a\u3001xfrm-ESP \u306f IPsec ESP \u306e\u51e6\u7406\u306b\u95a2\u308f\u308b\u4ed5\u7d44\u307f\u3067\u3042\u308a\u3001RxRPC \u306f AFS \u306a\u3069\u3067\u4f7f\u308f\u308c\u308b transport protocol \u3067\u3042\u308a\u3001splice \u3084 zero-copy \u306f copy \u3092\u6e1b\u3089\u3059\u305f\u3081\u306e\u4ed5\u7d44\u307f\u3067\u3042\u308a\u3001page cache \u306f\u30d5\u30a1\u30a4\u30eb I\/O \u3092\u52b9\u7387\u5316\u3059\u308b\u4ed5\u7d44\u307f\u3067\u3042\u308a\u3001skb frag \u3084 scatterlist \u306f fragment \u3084\u975e\u9023\u7d9a memory \u3092\u6271\u3046\u305f\u3081\u306e\u4ed5\u7d44\u307f\u3067\u3042\u308b\u3002\u554f\u984c\u306f\u3001\u3053\u308c\u3089\u306e\u90e8\u54c1\u304c\u5358\u4f53\u3067\u5b58\u5728\u3059\u308b\u3053\u3068\u3067\u306f\u306a\u3044\u3002\u7d50\u5408\u3057\u305f\u3068\u304d\u306b\u3001\u5883\u754c\u6761\u4ef6\u304c\u4fdd\u5b58\u3055\u308c\u308b\u304b\u3069\u3046\u304b\u3067\u3042\u308b\u3002<\/p>\n\n\n\n\n\n\n\n\n\n\n
\u69cb\u6210\u8981\u7d20<\/th>\n\u5358\u4f53\u3067\u306e\u6b63\u5f53\u306a\u5f79\u5272<\/th>\n\u7d50\u5408\u6642\u306b\u4fdd\u5b58\u3059\u3079\u304d\u5883\u754c\u6761\u4ef6<\/th>\n<\/tr>\n<\/thead>\n
page cache<\/td>\n\u30d5\u30a1\u30a4\u30eb\u5185\u5bb9\u3092\u30e1\u30e2\u30ea\u4e0a\u306b\u4fdd\u6301\u3057\u3001\u8aad\u307f\u53d6\u308a\u3084\u5b9f\u884c\u3092\u9ad8\u901f\u5316\u3059\u308b\u3002<\/td>\nfile-backed\u3001read-only\u3001shared \u3067\u3042\u308b\u3053\u3068\u3092\u5f8c\u6bb5\u3078\u4f1d\u3048\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002<\/td>\n<\/tr>\n
splice \/ pipe<\/td>\ncopy \u3092\u6e1b\u3089\u3057\u3001page \u53c2\u7167\u3092\u5225\u7d4c\u8def\u3078\u79fb\u3059\u3002<\/td>\n\u8aad\u307f\u53d6\u308a\u5bfe\u8c61\u306e page \u304c\u51fa\u529b\u5148\u3078\u5909\u8cea\u3057\u306a\u3044\u3088\u3046\u306b\u3059\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002<\/td>\n<\/tr>\n
scatterlist<\/td>\n\u975e\u9023\u7d9a memory \u3092\u307e\u3068\u3081\u3066\u6697\u53f7\u51e6\u7406\u3084 I\/O \u51e6\u7406\u306b\u6e21\u3059\u3002<\/td>\nsource \u3068 destination \u306e\u610f\u5473\u3092\u6df7\u540c\u3057\u306a\u3044\u5fc5\u8981\u304c\u3042\u308b\u3002<\/td>\n<\/tr>\n
skb frag<\/td>\nnetwork packet \u306e fragment \u3092 page \u5358\u4f4d\u3067\u52b9\u7387\u3088\u304f\u6271\u3046\u3002<\/td>\nshared frag \u3067\u3042\u308c\u3070 private copy \u304c\u5fc5\u8981\u306a\u5834\u9762\u3092\u4fdd\u6301\u3059\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002<\/td>\n<\/tr>\n
in-place \u51e6\u7406<\/td>\n\u5165\u529b\u3068\u51fa\u529b\u3092\u540c\u3058 buffer \u306b\u3057\u3066\u6027\u80fd\u3084\u30e1\u30e2\u30ea\u52b9\u7387\u3092\u4e0a\u3052\u308b\u3002<\/td>\nread-only input page \u3092 output \u3068\u3057\u3066\u6271\u308f\u306a\u3044\u5fc5\u8981\u304c\u3042\u308b\u3002<\/td>\n<\/tr>\n
setuid \/ root \u6587\u8108<\/td>\n\u5fc5\u8981\u306a\u64cd\u4f5c\u3092\u9ad8\u6a29\u9650\u3067\u5b9f\u884c\u3059\u308b\u3002<\/td>\n\u4f4e\u6a29\u9650\u64cd\u4f5c\u306b\u3088\u3063\u3066\u6c5a\u67d3\u3055\u308c\u305f page \u3092\u4fe1\u983c\u3057\u306a\u3044\u5fc5\u8981\u304c\u3042\u308b\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u3057\u305f\u304c\u3063\u3066\u3001Dirty Frag \u306f\u3001\u6b63\u5f53\u306a\u90e8\u54c1\u304c\u7d44\u307f\u5408\u308f\u3055\u3063\u305f\u7d50\u679c\u3001\u4e0d\u6b63\u306a\u5168\u4f53\u69cb\u9020\u304c\u751f\u3058\u308b\u4e8b\u4f8b\u3067\u3042\u308b\u3002\u500b\u3005\u306e\u90e8\u54c1\u306f\u3001\u6027\u80fd\u3001\u4e92\u63db\u6027\u3001\u6697\u53f7\u51e6\u7406\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u51e6\u7406\u3001\u30d5\u30a1\u30a4\u30eb I\/O \u3092\u652f\u3048\u308b\u305f\u3081\u306b\u5fc5\u8981\u3067\u3042\u308b\u3002\u3057\u304b\u3057\u3001\u90e8\u54c1\u9593\u3092\u79fb\u52d5\u3059\u308b\u5bfe\u8c61\u304c \\(D\\) \u3060\u3051\u3068\u3057\u3066\u6271\u308f\u308c\u3001\\(M\\) \u304c\u4fdd\u5b58\u3055\u308c\u306a\u3051\u308c\u3070\u3001\u5b89\u5168\u6027\u306f\u5931\u308f\u308c\u308b\u3002\u3053\u308c\u306f\u5358\u306a\u308b\u5b9f\u88c5\u30df\u30b9\u3067\u306f\u306a\u304f\u3001\u8907\u6570\u306e\u62bd\u8c61\u5883\u754c\u3092\u307e\u305f\u3050\u8a2d\u8a08\u4e0a\u306e\u6ce8\u610f\u70b9\u3067\u3042\u308b\u3002<\/p>\n

\u69cb\u9020\u3068\u3057\u3066\u898b\u308c\u3070\u3001Dirty Frag \u306e\u4e2d\u5fc3\u306f\u300c\u3069\u306e\u90e8\u54c1\u304c\u60aa\u3044\u304b\u300d\u3067\u306f\u306a\u304f\u3001\u300c\u90e8\u54c1\u3092\u3064\u306a\u3044\u3060\u3068\u304d\u306b\u5883\u754c\u6761\u4ef6\u304c\u4fdd\u5b58\u3055\u308c\u305f\u304b\u300d\u3067\u3042\u308b\u3002read-only \u3067\u3042\u308b\u3053\u3068\u3001shared \u3067\u3042\u308b\u3053\u3068\u3001input \u3067\u3042\u308b\u3053\u3068\u3001\u4f4e\u6a29\u9650\u64cd\u4f5c\u3067\u3042\u308b\u3053\u3068\u3001root \u6587\u8108\u3067\u8aad\u307e\u308c\u5f97\u308b\u3053\u3068\u306f\u3001\u305d\u308c\u305e\u308c\u72ec\u7acb\u3057\u305f\u610f\u5473\u3067\u306f\u306a\u3044\u3002\u3053\u308c\u3089\u304c\u7d44\u307f\u5408\u308f\u3055\u3063\u305f\u3068\u304d\u3001\u521d\u3081\u3066\u5371\u967a\u306a\u72b6\u614b\u304c\u6210\u7acb\u3059\u308b\u3002\u3064\u307e\u308a\u3001\u8106\u5f31\u6027\u306f\u5358\u4f53\u90e8\u54c1\u3067\u306f\u306a\u304f\u3001\u90e8\u54c1\u9593\u306e\u610f\u5473\u63a5\u7d9a\u306b\u751f\u3058\u308b\u3002<\/p>\n

\n

25. \u89b3\u6e2c\u3068\u66f4\u65b0\u306e\u554f\u984c\u3068\u3057\u3066\u898b\u308b<\/h2>\n

\u89b3\u6e2c\u3092\u60c5\u5831\u66f4\u65b0\u3068\u3057\u3066\u5b9a\u5f0f\u5316\u3057\u305f\u65e2\u7a3f\u3067\u306f\u3001\u89b3\u6e2c\u3068\u306f\u5916\u754c\u3092\u305d\u306e\u307e\u307e\u5199\u3059\u3053\u3068\u3067\u306f\u306a\u304f\u3001\u5185\u90e8\u72b6\u614b\u3092\u66f4\u65b0\u3057\u3001\u4ee5\u5f8c\u306e\u5c65\u6b74\u3068\u5224\u65ad\u3092\u5909\u3048\u308b\u904e\u7a0b\u3067\u3042\u308b\u3068\u6574\u7406\u3057\u305f[38]<\/a>\u3002\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u904b\u7528\u3067\u3082\u540c\u3058\u3067\u3042\u308b\u3002\u8106\u5f31\u6027\u60c5\u5831\u3001CVE\u3001vendor advisory\u3001kernel package\u3001module \u72b6\u614b\u3001reboot\u3001\u691c\u8a3c\u7d50\u679c\u306f\u3001\u904b\u7528\u72b6\u614b\u3092\u66f4\u65b0\u3059\u308b\u89b3\u6e2c\u70b9\u3067\u3042\u308b\u3002\u3053\u308c\u3089\u3092\u89b3\u6e2c\u3057\u3001\u5185\u90e8\u72b6\u614b\u3092\u66f4\u65b0\u3057\u3001\u6b21\u306e\u884c\u52d5\u3092\u6c7a\u3081\u308b\u3053\u3068\u304c\u8106\u5f31\u6027\u5bfe\u5fdc\u3067\u3042\u308b\u3002<\/p>\n

Dirty Frag \u306e\u3088\u3046\u306a LPE \u3067\u306f\u3001\u89b3\u6e2c\u304c\u9045\u308c\u308c\u3070\u3001\u4f4e\u6a29\u9650\u4fb5\u5bb3\u304c root \u4fb5\u5bb3\u3078\u5897\u5e45\u3055\u308c\u308b\u6642\u9593\u304c\u9577\u304f\u306a\u308b\u3002\u89b3\u6e2c\u304c\u7c97\u3051\u308c\u3070\u3001patched \u3068 unpatched\u3001module disabled \u3068 module loaded\u3001updated \u3068 rebooted \u306e\u5dee\u3092\u53d6\u308a\u9055\u3048\u308b\u3002\u89b3\u6e2c\u304c\u4e0d\u5341\u5206\u306a\u3089\u3001\u30c7\u30a3\u30b9\u30af\u4e0a\u306e\u30cf\u30c3\u30b7\u30e5\u304c\u6b63\u5e38\u3067\u3042\u308b\u3053\u3068\u3092\u3082\u3063\u3066\u3001\u5b9f\u884c\u6642\u6c5a\u67d3\u304c\u306a\u3044\u3068\u8aa4\u8a8d\u3059\u308b\u3002\u3064\u307e\u308a\u3001Dirty Frag \u5bfe\u5fdc\u3067\u306f\u3001\u4f55\u3092\u89b3\u6e2c\u3059\u308b\u304b\u306b\u3088\u3063\u3066\u3001\u5b89\u5168\u5224\u65ad\u305d\u306e\u3082\u306e\u304c\u5909\u308f\u308b\u3002<\/p>\n\n\n\n\n\n\n\n\n\n\n\n
\u89b3\u6e2c\u70b9<\/th>\n\u66f4\u65b0\u3055\u308c\u308b\u5224\u65ad<\/th>\n\u89b3\u6e2c\u304c\u7c97\u3044\u5834\u5408\u306e\u8aa4\u308a<\/th>\n<\/tr>\n<\/thead>\n
CVE \u60c5\u5831<\/td>\n\u8106\u5f31\u6027\u306e\u5b58\u5728\u3001\u5f71\u97ff\u7bc4\u56f2\u3001\u7dca\u6025\u5ea6\u3092\u5224\u65ad\u3059\u308b\u3002<\/td>\nCVE \u540d\u3060\u3051\u3092\u898b\u3066\u3001\u81ea\u5206\u306e\u74b0\u5883\u3067\u306e\u9732\u51fa\u3092\u5224\u65ad\u3057\u306a\u3044\u3002<\/td>\n<\/tr>\n
vendor advisory<\/td>\n\u5bfe\u8c61 package\u3001\u4fee\u6b63\u72b6\u6cc1\u3001\u66ab\u5b9a mitigation \u3092\u5224\u65ad\u3059\u308b\u3002<\/td>\n\u914d\u5e03\u5143\u3054\u3068\u306e package \u540d\u3084 kernel \u7cfb\u5217\u306e\u9055\u3044\u3092\u898b\u843d\u3068\u3059\u3002<\/td>\n<\/tr>\n
\u30ed\u30fc\u30c9\u6e08\u307f module<\/td>\nesp4\u3001esp6\u3001rxrpc \u306a\u3069\u306e\u5165\u53e3\u304c\u73fe\u5728\u5b58\u5728\u3059\u308b\u304b\u3092\u5224\u65ad\u3059\u308b\u3002<\/td>\nblacklist \u3092\u66f8\u3044\u305f\u3060\u3051\u3067\u3001\u3059\u3067\u306b\u30ed\u30fc\u30c9\u6e08\u307f\u306e module \u304c\u6d88\u3048\u305f\u3068\u8aa4\u8a8d\u3059\u308b\u3002<\/td>\n<\/tr>\n
kernel package<\/td>\n\u4fee\u6b63\u6e08\u307f kernel \u304c\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3055\u308c\u3066\u3044\u308b\u304b\u3092\u5224\u65ad\u3059\u308b\u3002<\/td>\n\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u6e08\u307f\u3067\u3042\u308b\u3053\u3068\u3068\u3001\u5b9f\u884c\u4e2d\u3067\u3042\u308b\u3053\u3068\u3092\u6df7\u540c\u3059\u308b\u3002<\/td>\n<\/tr>\n
\u8d77\u52d5\u4e2d kernel<\/td>\n\u5b9f\u969b\u306b\u4fee\u6b63\u6e08\u307f kernel \u3067\u52d5\u4f5c\u3057\u3066\u3044\u308b\u304b\u3092\u5224\u65ad\u3059\u308b\u3002<\/td>\nreboot \u3057\u3066\u3044\u306a\u3044\u305f\u3081\u3001\u65e7 kernel \u306e\u307e\u307e\u52d5\u3044\u3066\u3044\u308b\u3053\u3068\u3092\u898b\u843d\u3068\u3059\u3002<\/td>\n<\/tr>\n
page cache \/ \u5b9f\u884c\u6642\u72b6\u614b<\/td>\n\u6c5a\u67d3\u3055\u308c\u305f\u5b9f\u884c\u6642\u5185\u5bb9\u304c\u6b8b\u3063\u3066\u3044\u308b\u53ef\u80fd\u6027\u3092\u5224\u65ad\u3059\u308b\u3002<\/td>\n\u30c7\u30a3\u30b9\u30af\u4e0a\u306e\u30d5\u30a1\u30a4\u30eb\u30cf\u30c3\u30b7\u30e5\u3060\u3051\u3092\u898b\u3066\u3001\u5b9f\u884c\u6642\u6c5a\u67d3\u304c\u306a\u3044\u3068\u8aa4\u8a8d\u3059\u308b\u3002<\/td>\n<\/tr>\n
\u30ed\u30b0\u3068\u76e3\u67fb\u60c5\u5831<\/td>\n\u4f4e\u6a29\u9650\u5b9f\u884c\u3084\u6a29\u9650\u6607\u683c\u306e\u5146\u5019\u3092\u5224\u65ad\u3059\u308b\u3002<\/td>\nLPE \u304c remote exploit \u3067\u306f\u306a\u3044\u3053\u3068\u3092\u7406\u7531\u306b\u3001\u4fb5\u5bb3\u5f8c\u306e\u5897\u5e45\u53ef\u80fd\u6027\u3092\u898b\u843d\u3068\u3059\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u3057\u305f\u304c\u3063\u3066\u3001Dirty Frag \u5bfe\u5fdc\u306f\u3001\u5358\u306a\u308b\u30d1\u30c3\u30c1\u9069\u7528\u3067\u306f\u306a\u304f\u3001\u89b3\u6e2c\u3001\u66f4\u65b0\u3001\u78ba\u8a8d\u3001\u5fa9\u65e7\u306e\u9023\u9396\u3067\u3042\u308b\u3002CVE \u3092\u77e5\u308b\u3053\u3068\u3067\u72b6\u614b\u304c\u66f4\u65b0\u3055\u308c\u308b\u3002\u914d\u5e03\u5143 advisory \u3092\u8aad\u3080\u3053\u3068\u3067\u3001\u81ea\u5206\u306e OS \u306b\u304a\u3051\u308b\u5f71\u97ff\u7bc4\u56f2\u304c\u66f4\u65b0\u3055\u308c\u308b\u3002kernel package \u3092\u66f4\u65b0\u3059\u308b\u3053\u3068\u3067\u3001\u4fee\u6b63\u6e08\u307f code \u304c\u5c0e\u5165\u3055\u308c\u308b\u3002reboot \u3059\u308b\u3053\u3068\u3067\u3001\u5b9f\u884c\u4e2d kernel \u3068\u5b9f\u884c\u6642\u72b6\u614b\u304c\u66f4\u65b0\u3055\u308c\u308b\u3002\u8d77\u52d5\u78ba\u8a8d\u3092\u3059\u308b\u3053\u3068\u3067\u3001\u5b89\u5168\u5224\u65ad\u304c\u66f4\u65b0\u3055\u308c\u308b\u3002\u5fc5\u8981\u306a\u3089\u30ed\u30b0\u78ba\u8a8d\u3084 cache \u6c5a\u67d3\u5bfe\u51e6\u306b\u3088\u3063\u3066\u3001\u5fa9\u65e7\u5224\u65ad\u304c\u66f4\u65b0\u3055\u308c\u308b\u3002<\/p>\n

\u3053\u306e\u610f\u5473\u3067\u3001Dirty Frag \u306f\u6280\u8853\u7684\u306b\u3082\u904b\u7528\u7684\u306b\u3082\u3001\u89b3\u6e2c\u3068\u66f4\u65b0\u306e\u554f\u984c\u3067\u3042\u308b\u3002\u6280\u8853\u5c64\u3067\u306f\u3001page cache \u304c\u3069\u306e\u6587\u8108\u3067\u8aad\u307e\u308c\u3001\u3069\u306e\u610f\u5473\u3092\u6301\u3064\u304b\u3092\u89b3\u6e2c\u3057\u306a\u3051\u308c\u3070\u306a\u3089\u306a\u3044\u3002\u904b\u7528\u5c64\u3067\u306f\u3001CVE\u3001advisory\u3001kernel\u3001module\u3001reboot\u3001\u5b9f\u884c\u6642\u72b6\u614b\u3092\u89b3\u6e2c\u3057\u306a\u3051\u308c\u3070\u306a\u3089\u306a\u3044\u3002\u89b3\u6e2c\u304c\u4e0d\u5341\u5206\u306a\u3089\u3001\u610f\u5473\u3092\u53d6\u308a\u9055\u3048\u308b\u3002\u610f\u5473\u3092\u53d6\u308a\u9055\u3048\u308c\u3070\u3001\u5b89\u5168\u3060\u3068\u5224\u65ad\u3057\u305f\u72b6\u614b\u304c\u5b9f\u969b\u306b\u306f\u5b89\u5168\u3067\u306a\u3044\u53ef\u80fd\u6027\u304c\u6b8b\u308b\u3002<\/p>\n

\n

26. \u6642\u9593\u3068\u5c65\u6b74\u306e\u554f\u984c\u3068\u3057\u3066\u898b\u308b<\/h2>\n

\u6642\u9593\u306b\u3064\u3044\u3066\u306e\u65e2\u7a3f\u3067\u306f\u3001\u6642\u9593\u3092\u4e0d\u53ef\u9006\u306a\u66f4\u65b0\u69cb\u9020\u3068\u3057\u3066\u6574\u7406\u3057\u3001\u5c65\u6b74\u304c\u5897\u3048\u308b\u3053\u3068\u306b\u3088\u3063\u3066\u73fe\u5728\u304c\u5f62\u6210\u3055\u308c\u308b\u3068\u8ad6\u3058\u305f[39]<\/a>\u3002Dirty Frag \u306b\u304a\u3044\u3066\u3082\u3001\u8106\u5f31\u6027\u516c\u958b\u3001PoC \u516c\u958b\u3001vendor \u5bfe\u5fdc\u3001kernel \u66f4\u65b0\u3001\u518d\u8d77\u52d5\u3001\u78ba\u8a8d\u3068\u3044\u3046\u5c65\u6b74\u304c\u904b\u7528\u5224\u65ad\u3092\u4f5c\u308b\u3002\u8106\u5f31\u6027\u5bfe\u5fdc\u306f\u3001\u3042\u308b\u77ac\u9593\u306b\u4e00\u56de\u3060\u3051\u884c\u3046\u4f5c\u696d\u3067\u306f\u306a\u3044\u3002\u60c5\u5831\u304c\u516c\u958b\u3055\u308c\u3001\u8a55\u4fa1\u3055\u308c\u3001\u914d\u5e03\u5143\u306b\u53d6\u308a\u8fbc\u307e\u308c\u3001\u5404\u74b0\u5883\u3067\u9069\u7528\u3055\u308c\u3001\u518d\u8d77\u52d5\u3055\u308c\u3001\u78ba\u8a8d\u3055\u308c\u308b\u3068\u3044\u3046\u6642\u9593\u7684\u306a\u9023\u9396\u3067\u3042\u308b\u3002<\/p>\n

\u7279\u306b\u91cd\u8981\u306a\u306e\u306f\u3001\u8106\u5f31\u6027\u5bfe\u5fdc\u306b\u306f\u6642\u9593\u5dee\u304c\u3042\u308b\u3053\u3068\u3060\u3002upstream \u306e\u4fee\u6b63\u3001\u30c7\u30a3\u30b9\u30c8\u30ea\u30d3\u30e5\u30fc\u30b7\u30e7\u30f3\u3078\u306e\u53d6\u308a\u8fbc\u307f\u3001\u30d1\u30c3\u30b1\u30fc\u30b8\u914d\u5e03\u3001\u5404\u30db\u30b9\u30c8\u3067\u306e\u66f4\u65b0\u3001\u518d\u8d77\u52d5\u3001\u78ba\u8a8d\u306f\u540c\u6642\u306b\u306f\u8d77\u304d\u306a\u3044\u3002\u3042\u308b\u6642\u70b9\u3067\u306f upstream \u306b\u4fee\u6b63\u304c\u5165\u3063\u3066\u3044\u3066\u3082\u3001\u5229\u7528\u4e2d\u306e distribution kernel \u306b\u306f\u307e\u3060\u964d\u308a\u3066\u304d\u3066\u3044\u306a\u3044\u5834\u5408\u304c\u3042\u308b\u3002\u5225\u306e\u6642\u70b9\u3067\u306f\u3001\u4fee\u6b63\u6e08\u307f package \u306f\u63d0\u4f9b\u3055\u308c\u3066\u3044\u3066\u3082\u3001host \u306f\u307e\u3060\u65e7 kernel \u3067\u8d77\u52d5\u3057\u3066\u3044\u308b\u5834\u5408\u304c\u3042\u308b\u3002\u3053\u306e\u6642\u9593\u5dee\u304c\u3001\u66ab\u5b9a mitigation \u306e\u5fc5\u8981\u6027\u3092\u751f\u3080\u3002<\/p>\n\n\n\n\n\n\n\n\n\n\n
\u6642\u70b9<\/th>\n\u8d77\u304d\u308b\u3053\u3068<\/th>\n\u904b\u7528\u4e0a\u306e\u610f\u5473<\/th>\n\u8aa4\u308a\u3084\u3059\u3044\u5224\u65ad<\/th>\n<\/tr>\n<\/thead>\n
\u8106\u5f31\u6027\u516c\u958b<\/td>\nCVE\u3001write-up\u3001PoC\u3001vendor \u60c5\u5831\u304c\u516c\u958b\u3055\u308c\u308b\u3002<\/td>\n\u81ea\u5206\u306e\u74b0\u5883\u304c\u5f71\u97ff\u3092\u53d7\u3051\u308b\u304b\u3092\u8abf\u3079\u308b\u8d77\u70b9\u306b\u306a\u308b\u3002<\/td>\n\u516c\u958b\u3055\u308c\u305f\u6642\u70b9\u3067\u3001\u3059\u3079\u3066\u306e distribution \u306b\u4fee\u6b63\u6e08\u307f kernel \u304c\u3042\u308b\u3068\u8aa4\u89e3\u3059\u308b\u3002<\/td>\n<\/tr>\n
upstream \u4fee\u6b63<\/td>\nLinux kernel \u5074\u3067\u554f\u984c\u7d4c\u8def\u304c\u4fee\u6b63\u3055\u308c\u308b\u3002<\/td>\n\u6839\u672c\u4fee\u6b63\u306e\u65b9\u5411\u304c\u5b9a\u307e\u308b\u3002<\/td>\nupstream \u306b\u4fee\u6b63\u304c\u3042\u308b\u3060\u3051\u3067\u3001\u81ea\u5206\u306e host \u3082\u5b89\u5168\u306b\u306a\u3063\u305f\u3068\u8aa4\u89e3\u3059\u308b\u3002<\/td>\n<\/tr>\n
distribution \u53d6\u308a\u8fbc\u307f<\/td>\nDebian\u3001Ubuntu\u3001Red Hat \u7cfb\u306a\u3069\u304c\u5404 kernel package \u3078\u4fee\u6b63\u3092\u53d6\u308a\u8fbc\u3080\u3002<\/td>\n\u5b9f\u969b\u306b\u5229\u7528\u53ef\u80fd\u306a\u4fee\u6b63\u6e08\u307f package \u304c\u63d0\u4f9b\u3055\u308c\u308b\u3002<\/td>\n\u5225 distribution \u306e\u4fee\u6b63\u72b6\u6cc1\u3092\u3001\u81ea\u5206\u306e distribution \u306b\u305d\u306e\u307e\u307e\u5f53\u3066\u306f\u3081\u308b\u3002<\/td>\n<\/tr>\n
package \u66f4\u65b0<\/td>\n\u5bfe\u8c61 host \u306b\u4fee\u6b63\u6e08\u307f kernel package \u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u3002<\/td>\n\u4fee\u6b63\u6e08\u307f kernel \u304c boot \u53ef\u80fd\u306a\u72b6\u614b\u306b\u306a\u308b\u3002<\/td>\npackage \u66f4\u65b0\u3060\u3051\u3067\u3001\u5b9f\u884c\u4e2d kernel \u3082\u66f4\u65b0\u3055\u308c\u305f\u3068\u8aa4\u89e3\u3059\u308b\u3002<\/td>\n<\/tr>\n
\u518d\u8d77\u52d5<\/td>\nhost \u3092 reboot \u3057\u3001\u4fee\u6b63\u6e08\u307f kernel \u3067\u8d77\u52d5\u3059\u308b\u3002<\/td>\n\u8106\u5f31\u306a\u5b9f\u884c\u4e2d kernel \u3068\u53e4\u3044\u5b9f\u884c\u6642\u72b6\u614b\u3092\u6368\u3066\u308b\u3002<\/td>\n\u518d\u8d77\u52d5\u3092\u5f8c\u56de\u3057\u306b\u3057\u3066\u3001\u5bfe\u5fdc\u6e08\u307f\u3068\u8a18\u9332\u3059\u308b\u3002<\/td>\n<\/tr>\n
\u78ba\u8a8d<\/td>\n\u8d77\u52d5\u4e2d kernel\u3001module \u72b6\u614b\u3001\u6a5f\u80fd\u5f71\u97ff\u3001\u5fc5\u8981\u306a\u3089\u4fb5\u5bb3\u75d5\u8de1\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/td>\n\u5bfe\u5fdc\u6e08\u307f\u3068\u3044\u3046\u5224\u65ad\u306b\u6839\u62e0\u3092\u4e0e\u3048\u308b\u3002<\/td>\n\u78ba\u8a8d\u3092\u7701\u7565\u3057\u3001\u4f5c\u696d\u5c65\u6b74\u3060\u3051\u3067\u5b89\u5168\u72b6\u614b\u3092\u5224\u65ad\u3059\u308b\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u3053\u306e\u610f\u5473\u3067\u3001Dirty Frag \u306f\u30ab\u30fc\u30cd\u30eb\u5185\u90e8\u306e\u610f\u5473\u4fdd\u5b58\u3060\u3051\u3067\u306a\u304f\u3001\u904b\u7528\u4e0a\u306e\u5c65\u6b74\u7ba1\u7406\u306e\u554f\u984c\u3067\u3082\u3042\u308b\u3002\u3069\u306e\u6642\u70b9\u3067\u4f55\u304c\u5206\u304b\u3063\u3066\u304a\u308a\u3001\u3069\u306e\u74b0\u5883\u306b\u3069\u306e\u5bfe\u7b56\u304c\u5165\u3063\u3066\u304a\u308a\u3001\u3069\u306e kernel \u3067\u8d77\u52d5\u3057\u3066\u3044\u308b\u304b\u3092\u8a18\u9332\u3057\u306a\u3051\u308c\u3070\u3001\u5bfe\u5fdc\u6e08\u307f\u3068\u3044\u3046\u5224\u65ad\u3082\u610f\u5473\u3092\u5931\u3046\u3002\u8106\u5f31\u6027\u5bfe\u5fdc\u306b\u304a\u3051\u308b\u300c\u73fe\u5728\u300d\u306f\u3001\u5358\u306a\u308b\u65e5\u4ed8\u3067\u306f\u306a\u3044\u3002\u516c\u958b\u60c5\u5831\u3001\u914d\u5e03\u72b6\u6cc1\u3001\u9069\u7528\u72b6\u6cc1\u3001\u518d\u8d77\u52d5\u72b6\u6cc1\u3001\u78ba\u8a8d\u7d50\u679c\u3068\u3044\u3046\u5c65\u6b74\u306e\u84c4\u7a4d\u306b\u3088\u3063\u3066\u6210\u7acb\u3059\u308b\u3002<\/p>\n

\u3057\u305f\u304c\u3063\u3066\u3001Dirty Frag \u306e\u904b\u7528\u3067\u306f\u3001\u6642\u9593\u5dee\u3092\u524d\u63d0\u306b\u3057\u305f\u7ba1\u7406\u304c\u5fc5\u8981\u3067\u3042\u308b\u3002\u4fee\u6b63\u6e08\u307f kernel \u304c\u307e\u3060\u306a\u3044\u6642\u70b9\u3067\u306f\u3001\u66ab\u5b9a mitigation \u306b\u3088\u3063\u3066\u65e2\u77e5\u306e\u5165\u53e3\u3092\u585e\u3050\u3002\u4fee\u6b63\u6e08\u307f kernel \u304c\u63d0\u4f9b\u3055\u308c\u305f\u6642\u70b9\u3067\u306f\u3001\u66f4\u65b0\u3068\u518d\u8d77\u52d5\u3092\u8a08\u753b\u3059\u308b\u3002\u518d\u8d77\u52d5\u5f8c\u306b\u306f\u3001\u5b9f\u969b\u306b\u4fee\u6b63\u6e08\u307f kernel \u3067\u52d5\u3044\u3066\u3044\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3059\u308b\u3002\u3053\u306e\u4e00\u9023\u306e\u5c65\u6b74\u304c\u305d\u308d\u3063\u3066\u521d\u3081\u3066\u3001\u5bfe\u5fdc\u6e08\u307f\u3068\u3044\u3046\u5224\u65ad\u306b\u610f\u5473\u304c\u751f\u3058\u308b\u3002<\/p>\n

\n

27. Dirty Pipe\u3001Copy Fail\u3001Dirty Frag \u3092\u3069\u3046\u8aad\u3080\u3079\u304d\u304b<\/h2>\n

Dirty Pipe\u3001Copy Fail\u3001Dirty Frag \u306f\u3001\u540d\u524d\u304c\u4f3c\u3066\u3044\u308b\u3060\u3051\u3067\u306f\u306a\u3044\u3002\u3044\u305a\u308c\u3082\u3001\u901a\u5e38\u306e\u30d5\u30a1\u30a4\u30eb\u6a29\u9650\u30e2\u30c7\u30eb\u3068\u306f\u5225\u306e\u7d4c\u8def\u304b\u3089\u3001\u5b9f\u884c\u6642\u306b\u8aad\u307e\u308c\u308b\u5185\u5bb9\u3078\u5f71\u97ff\u3092\u4e0e\u3048\u308b\u70b9\u3067\u3064\u306a\u304c\u3063\u3066\u3044\u308b\u3002Dirty Pipe \u306f pipe buffer \u5468\u8fba\u306e\u554f\u984c\u3068\u3057\u3066\u77e5\u3089\u308c\u3001Copy Fail \u306f algif_aead \u3068 scatterlist\u3001Dirty Frag \u306f xfrm-ESP \/ RxRPC \u3068 skb frag \u3078\u5e83\u304c\u3063\u305f\u3002\u5165\u53e3\u306f\u7570\u306a\u308b\u304c\u3001\u30d5\u30a1\u30a4\u30eb\u3001page cache\u3001pipe\u3001fragment\u3001in-place \u51e6\u7406\u3001\u5b9f\u884c\u6587\u8108\u306e\u5883\u754c\u3067\u610f\u5473\u304c\u58ca\u308c\u308b\u3068\u3044\u3046\u70b9\u3067\u306f\u3001\u9023\u7d9a\u3057\u305f\u554f\u984c\u3068\u3057\u3066\u8aad\u3081\u308b\u3002<\/p>\n

\u3053\u306e\u7cfb\u5217\u3092\u3001\u5358\u306b\u300cDirty \u7cfb\u8106\u5f31\u6027\u300d\u3068\u3057\u3066\u8868\u9762\u7684\u306b\u4e26\u3079\u308b\u3060\u3051\u3067\u306f\u8db3\u308a\u306a\u3044\u3002\u91cd\u8981\u306a\u306e\u306f\u3001\u30d5\u30a1\u30a4\u30eb\u6a29\u9650\u3001page cache\u3001pipe\u3001fragment\u3001in-place \u51e6\u7406\u3001\u5b9f\u884c\u6587\u8108\u306e\u9593\u3067\u3001\u3069\u306e\u610f\u5473\u304c\u4fdd\u5b58\u3055\u308c\u306a\u304b\u3063\u305f\u306e\u304b\u3092\u898b\u308b\u3053\u3068\u3067\u3042\u308b\u3002\u540d\u524d\u304c\u4f3c\u3066\u3044\u308b\u304b\u3089\u540c\u3058\u3060\u3068\u898b\u308b\u306e\u3067\u306f\u306a\u3044\u3002\u540c\u3058\u69cb\u9020\u3092\u6301\u3064\u304b\u3089\u3001\u6bd4\u8f03\u3059\u308b\u4fa1\u5024\u304c\u3042\u308b\u3002<\/p>\n\n\n\n\n\n\n\n
\u8106\u5f31\u6027<\/th>\n\u4e3b\u306a\u5165\u53e3<\/th>\n\u95a2\u4fc2\u3059\u308b\u62bd\u8c61<\/th>\n\u58ca\u308c\u308b\u610f\u5473<\/th>\n\u8aad\u307f\u53d6\u308b\u3079\u304d\u6559\u8a13<\/th>\n<\/tr>\n<\/thead>\n
Dirty Pipe<\/td>\npipe buffer \u5468\u8fba\u306e\u51e6\u7406\u3002<\/td>\npipe\u3001page cache\u3001buffer flag\u3001file-backed page\u3002<\/td>\n\u8aad\u307f\u53d6\u308a\u5c02\u7528\u30d5\u30a1\u30a4\u30eb\u7531\u6765\u306e page \u3068\u3001pipe buffer \u3068\u3057\u3066\u6271\u308f\u308c\u308b page \u306e\u610f\u5473\u304c\u305a\u308c\u308b\u3002<\/td>\n\u30d5\u30a1\u30a4\u30eb\u6a29\u9650\u3068\u306f\u5225\u306e\u7d4c\u8def\u3067 page cache \u306b\u5f71\u97ff\u304c\u53ca\u3076\u3068\u3001\u30c7\u30a3\u30b9\u30af\u4e0a\u306e\u6a29\u9650\u30e2\u30c7\u30eb\u3060\u3051\u3067\u306f\u5b89\u5168\u3092\u4fdd\u8a3c\u3067\u304d\u306a\u3044\u3002<\/td>\n<\/tr>\n
Copy Fail<\/td>\nAF_ALG\u3001algif_aead\u3001AEAD socket interface\u3002<\/td>\nsplice\u3001page cache\u3001scatterlist\u3001in-place crypto\u3002<\/td>\nread-only file-backed page \u304c\u3001\u6697\u53f7\u51e6\u7406\u306e writable destination \u3068\u3057\u3066\u6271\u308f\u308c\u5f97\u308b\u3002<\/td>\n\u6697\u53f7\u51e6\u7406\u306e\u6700\u9069\u5316\u3067\u3001\u5165\u529b page \u3068\u51fa\u529b page \u306e\u610f\u5473\u3092\u6df7\u540c\u3057\u3066\u306f\u306a\u3089\u306a\u3044\u3002<\/td>\n<\/tr>\n
Dirty Frag<\/td>\nxfrm-ESP\u3001RxRPC\u3002<\/td>\nMSG_SPLICE_PAGES\u3001pipe pages\u3001skb frag\u3001shared frag\u3001in-place decrypt\u3002<\/td>\nshared page \u3067\u3042\u308b\u3053\u3068\u304c\u5f8c\u6bb5\u3078\u4f1d\u308f\u3089\u305a\u3001private copy \u306a\u3057\u306b in-place \u51e6\u7406\u3055\u308c\u5f97\u308b\u3002<\/td>\n\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u51e6\u7406\u3084 fragment handling \u3067\u3082\u3001page \u306e\u7531\u6765\u3001\u5171\u6709\u6027\u3001\u66f8\u304d\u8fbc\u307f\u53ef\u5426\u3092\u4fdd\u5b58\u3057\u306a\u3051\u308c\u3070\u306a\u3089\u306a\u3044\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Dirty Frag \u304c\u793a\u3057\u305f\u306e\u306f\u3001Copy Fail \u306e\u6559\u8a13\u304c algif_aead \u56fa\u6709\u3067\u306f\u306a\u304b\u3063\u305f\u3053\u3068\u3060\u3002Copy Fail \u3092 algif_aead \u306e\u4e8b\u6545\u3068\u3057\u3066\u3060\u3051\u8aad\u3080\u306a\u3089\u3001Dirty Frag \u306f\u5225\u4ef6\u306b\u898b\u3048\u308b\u3002\u3057\u304b\u3057\u3001Copy Fail \u3092\u300c\u8aad\u307f\u53d6\u308a\u5c02\u7528\u7531\u6765\u306e page cache \u304c copy \u3055\u308c\u305a\u306b\u5225\u30b5\u30d6\u30b7\u30b9\u30c6\u30e0\u3078\u6e21\u3055\u308c\u3001\u5f8c\u6bb5\u3067 in-place \u306b\u66f8\u304d\u63db\u3048\u3089\u308c\u308b\u554f\u984c\u300d\u3068\u3057\u3066\u8aad\u3080\u306a\u3089\u3001Dirty Frag \u306f\u540c\u3058\u6559\u8a13\u306e\u6a2a\u5c55\u958b\u306b\u306a\u308b\u3002\u5165\u53e3\u306f\u5909\u308f\u308b\u3002\u5371\u967a\u306a\u6700\u9069\u5316\u306e\u5f62\u3082\u5909\u308f\u308b\u3002\u3057\u304b\u3057\u3001\u4e0a\u4f4d\u306e\u5b89\u5168\u610f\u5473\u304c\u4e0b\u4f4d\u3067\u5931\u308f\u308c\u308b\u5834\u6240\u304c\u5371\u967a\u3067\u3042\u308b\u3001\u3068\u3044\u3046\u539f\u7406\u306f\u5909\u308f\u3089\u306a\u3044\u3002<\/p>\n

\u3057\u305f\u304c\u3063\u3066\u3001Dirty Pipe\u3001Copy Fail\u3001Dirty Frag \u3092\u8aad\u3080\u3068\u304d\u306b\u306f\u3001\u56fa\u6709\u540d\u8a5e\u3067\u306f\u306a\u304f\u3001\u610f\u5473\u4fdd\u5b58\u306e\u5931\u6557\u3092\u898b\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002pipe buffer\u3001scatterlist\u3001skb frag \u306f\u7570\u306a\u308b\u62bd\u8c61\u3067\u3042\u308b\u3002\u3057\u304b\u3057\u3001\u305d\u308c\u3089\u306f\u3044\u305a\u308c\u3082 page \u3092\u5225\u6587\u8108\u3078\u904b\u3076\u3002\u305d\u3053\u3067 file-backed\u3001read-only\u3001shared\u3001input\u3001root-reachable \u3068\u3044\u3046\u610f\u5473\u304c\u4fdd\u5b58\u3055\u308c\u306a\u3051\u308c\u3070\u3001\u901a\u5e38\u306e\u8aad\u307f\u53d6\u308a\u304c\u5b9f\u8cea\u7684\u306a\u66f8\u304d\u63db\u3048\u80fd\u529b\u3078\u5909\u8cea\u3059\u308b\u3002\u3053\u306e\u7cfb\u5217\u3092\u901a\u3058\u3066\u898b\u3048\u308b\u306e\u306f\u3001Linux kernel \u306e\u9ad8\u6027\u80fd\u5316\u304c\u3001\u610f\u5473\u4fdd\u5b58\u3092\u4f34\u308f\u306a\u3044\u5834\u5408\u306b\u6a29\u9650\u5883\u754c\u3092\u7834\u308b\u3068\u3044\u3046\u69cb\u9020\u3067\u3042\u308b\u3002<\/p>\n

\n

28. Dirty Frag \u304c\u5f37\u5316\u3057\u305f\u4e0d\u5909\u539f\u7406<\/h2>\n

Dirty Frag \u304c\u5f37\u5316\u3057\u305f\u4e0d\u5909\u539f\u7406\u306f\u3001\u6b21\u306e\u4e00\u6587\u306b\u307e\u3068\u3081\u3089\u308c\u308b\u3002\u30ab\u30fc\u30cd\u30eb\u306e\u5b89\u5168\u6027\u306f\u3001\u6a29\u9650\u30c1\u30a7\u30c3\u30af\u306e\u4e00\u70b9\u3067\u306f\u306a\u304f\u3001\u610f\u5473\u4fdd\u5b58\u306e\u9023\u9396\u306b\u4f9d\u5b58\u3057\u3066\u3044\u308b\u3002\u5165\u53e3\u3067\u6a29\u9650\u30c1\u30a7\u30c3\u30af\u3092\u3057\u3066\u3082\u3001\u305d\u306e\u5f8c\u306e\u51e6\u7406\u3067 file-backed\u3001read-only\u3001shared\u3001input\u3001unprivileged\u3001root-reachable \u3068\u3044\u3046\u610f\u5473\u304c\u5931\u308f\u308c\u308c\u3070\u3001\u5b89\u5168\u6027\u306f\u7834\u308c\u308b\u3002\u9006\u306b\u3001\u4e0b\u4f4d\u30ec\u30a4\u30e4\u30fc\u306e\u6700\u9069\u5316\u304c\u3069\u308c\u307b\u3069\u6709\u52b9\u3067\u3082\u3001\u4e0a\u4f4d\u30ec\u30a4\u30e4\u30fc\u306e\u5236\u7d04\u3092\u6d88\u3057\u3066\u3057\u307e\u3046\u306a\u3089\u3001\u305d\u306e\u6700\u9069\u5316\u306f\u5b89\u5168\u6027\u3092\u58ca\u3059\u3002<\/p>\n

\u3053\u306e\u539f\u7406\u306f\u3001Copy Fail \u306b\u3082 Dirty Frag \u306b\u3082\u901a\u7528\u3059\u308b\u3002Copy Fail \u3067\u306f algif_aead \u306e in-place \u6700\u9069\u5316\u304c\u554f\u984c\u3060\u3063\u305f\u3002Dirty Frag \u3067\u306f xfrm-ESP \u3068 RxRPC \u306e in-place \/ fragment handling \u304c\u554f\u984c\u3060\u3063\u305f\u3002\u9055\u3044\u306f\u5165\u53e3\u3067\u3042\u308a\u3001\u672c\u8cea\u3067\u306f\u306a\u3044\u3002\u4e21\u8005\u306e\u5171\u901a\u70b9\u306f\u3001\u8aad\u307f\u53d6\u308a\u5c02\u7528\u7531\u6765\u306e page cache \u304c\u3001\u5225\u30b5\u30d6\u30b7\u30b9\u30c6\u30e0\u306e\u5185\u90e8\u8868\u73fe\u306b\u5305\u307e\u308c\u305f\u3042\u3068\u3001\u5165\u529b\u3067\u3042\u308b\u3068\u3044\u3046\u610f\u5473\u3068\u66f8\u304d\u8fbc\u307f\u7981\u6b62\u3067\u3042\u308b\u3068\u3044\u3046\u610f\u5473\u3092\u5341\u5206\u306b\u4fdd\u6301\u3067\u304d\u306a\u304b\u3063\u305f\u70b9\u306b\u3042\u308b\u3002<\/p>\n\n\n\n\n\n\n\n\n\n
\u4e0d\u5909\u539f\u7406<\/th>\n\u6280\u8853\u5c64\u3067\u306e\u610f\u5473<\/th>\n\u904b\u7528\u5c64\u3067\u306e\u610f\u5473<\/th>\n<\/tr>\n<\/thead>\n
byte \u5217\u3060\u3051\u3067\u306a\u304f\u610f\u5473\u3092\u4fdd\u5b58\u3059\u308b\u3002<\/td>\npage \u306e provenance\u3001writability\u3001sharing\u3001direction \u3092\u30b5\u30d6\u30b7\u30b9\u30c6\u30e0\u5883\u754c\u3067\u5931\u308f\u305b\u306a\u3044\u3002<\/td>\nCVE \u756a\u53f7\u3060\u3051\u3067\u306a\u304f\u3001\u81ea\u5206\u306e\u74b0\u5883\u306b\u304a\u3051\u308b\u9732\u51fa\u3001\u6a5f\u80fd\u5229\u7528\u3001\u5b9f\u884c\u7d4c\u8def\u3092\u898b\u308b\u3002<\/td>\n<\/tr>\n
read-only file-backed shared page \u3092 output \u306b\u3057\u306a\u3044\u3002<\/td>\nshared page \u306a\u3089 private copy \u3092\u4f5c\u308b\u304b\u3001in-place \u51e6\u7406\u3092\u907f\u3051\u308b\u3002<\/td>\n\u66ab\u5b9a mitigation \u3067\u5165\u53e3\u3092\u585e\u304e\u3001\u6700\u7d42\u7684\u306b\u306f\u4fee\u6b63\u6e08\u307f kernel \u3078\u79fb\u884c\u3059\u308b\u3002<\/td>\n<\/tr>\n
\u66ab\u5b9a\u5bfe\u7b56\u3068\u6839\u672c\u5bfe\u7b56\u3092\u6df7\u540c\u3057\u306a\u3044\u3002<\/td>\nmodule \u7121\u52b9\u5316\u306f\u65e2\u77e5\u5165\u53e3\u3092\u9589\u3058\u308b\u3060\u3051\u3067\u3001\u51e6\u7406\u7d4c\u8def\u306e\u4fee\u6b63\u3067\u306f\u306a\u3044\u3002<\/td>\nkernel update\u3001reboot\u3001\u8d77\u52d5\u78ba\u8a8d\u307e\u3067\u3092\u5bfe\u5fdc\u5b8c\u4e86\u306e\u6761\u4ef6\u306b\u3059\u308b\u3002<\/td>\n<\/tr>\n
\u5b9f\u884c\u6642\u72b6\u614b\u3092\u5b89\u5168\u5224\u65ad\u306b\u542b\u3081\u308b\u3002<\/td>\n\u30c7\u30a3\u30b9\u30af\u4e0a\u306e\u30d5\u30a1\u30a4\u30eb\u304c\u7121\u50b7\u3067\u3082\u3001page cache \u304c\u6c5a\u67d3\u3055\u308c\u3066\u3044\u308c\u3070\u5b9f\u884c\u6642\u610f\u5473\u306f\u5909\u308f\u308b\u3002<\/td>\n\u5fc5\u8981\u306b\u5fdc\u3058\u3066 drop_caches\u3001reboot\u3001\u30ed\u30b0\u78ba\u8a8d\u3001\u4fb5\u5bb3\u53ef\u80fd\u6027\u306e\u8a55\u4fa1\u3092\u884c\u3046\u3002<\/td>\n<\/tr>\n
\u500b\u5225 CVE \u3067\u306f\u306a\u304f bug class \u3092\u898b\u308b\u3002<\/td>\nalgif_aead\u3001xfrm-ESP\u3001RxRPC \u3068\u3044\u3046\u540d\u524d\u3067\u306f\u306a\u304f\u3001\u4e0d\u5909\u6761\u4ef6\u306e\u7834\u308c\u3092\u898b\u308b\u3002<\/td>\n\u8106\u5f31\u6027\u306e\u6d2a\u6c34\u3067\u306f\u3001CVE \u5358\u4f4d\u3067\u306f\u306a\u304f\u9732\u51fa\u3068\u6a2a\u5c55\u958b\u53ef\u80fd\u6027\u3067\u512a\u5148\u9806\u4f4d\u3092\u6c7a\u3081\u308b\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u3053\u306e\u8868\u304b\u3089\u5206\u304b\u308b\u3088\u3046\u306b\u3001Dirty Frag \u304c\u5f37\u5316\u3057\u305f\u306e\u306f\u3001\u7279\u5b9a\u30e2\u30b8\u30e5\u30fc\u30eb\u306e\u5371\u967a\u6027\u3067\u306f\u306a\u3044\u3002Dirty Frag \u304c\u5f37\u5316\u3057\u305f\u306e\u306f\u3001\u4e0a\u4f4d\u30ec\u30a4\u30e4\u30fc\u306e\u5b89\u5168\u610f\u5473\u3092\u4e0b\u4f4d\u30ec\u30a4\u30e4\u30fc\u3078\u904b\u3070\u306a\u3051\u308c\u3070\u306a\u3089\u306a\u3044\u3068\u3044\u3046\u539f\u7406\u3067\u3042\u308b\u3002Copy Fail \u306e\u6bb5\u968e\u3067\u306f\u3001\u3053\u306e\u539f\u7406\u306f algif_aead \u3068 scatterlist \u306e\u554f\u984c\u3068\u3057\u3066\u898b\u3048\u3084\u3059\u304b\u3063\u305f\u3002Dirty Frag \u306b\u3088\u3063\u3066\u3001\u540c\u3058\u539f\u7406\u304c xfrm-ESP\u3001RxRPC\u3001skb frag \u3068\u3044\u3046\u5225\u9818\u57df\u306b\u3082\u73fe\u308c\u308b\u3053\u3068\u304c\u5206\u304b\u3063\u305f\u3002\u3064\u307e\u308a\u3001Dirty Frag \u306f Copy Fail \u306e\u6559\u8a13\u3092\u5426\u5b9a\u3057\u305f\u306e\u3067\u306f\u306a\u304f\u3001\u62bd\u8c61\u5ea6\u3092\u4e0a\u3052\u305f\u3002<\/p>\n

\u3057\u305f\u304c\u3063\u3066\u3001\u4e0d\u5909\u539f\u7406\u306f\u5358\u306a\u308b\u30b9\u30ed\u30fc\u30ac\u30f3\u3067\u306f\u306a\u3044\u3002\u8a2d\u8a08\u3067\u306f\u3001page \u306e\u7531\u6765\u3001\u5171\u6709\u6027\u3001\u66f8\u304d\u8fbc\u307f\u53ef\u5426\u3001\u5165\u529b\u3068\u51fa\u529b\u306e\u533a\u5225\u3092\u4fdd\u6301\u3059\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002\u5b9f\u88c5\u3067\u306f\u3001in-place \u51e6\u7406\u306e\u524d\u306b\u3001\u5bfe\u8c61 page \u304c\u672c\u5f53\u306b\u66f8\u304d\u63db\u3048\u3066\u3088\u3044\u9818\u57df\u304b\u3092\u5224\u65ad\u3059\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002\u904b\u7528\u3067\u306f\u3001\u66ab\u5b9a mitigation \u3068 kernel update \u3068 reboot \u3092\u533a\u5225\u3059\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002\u8106\u5f31\u6027\u7ba1\u7406\u3067\u306f\u3001CVE \u756a\u53f7\u3067\u306f\u306a\u304f\u3001\u81ea\u5206\u306e\u74b0\u5883\u306b\u304a\u3051\u308b\u9732\u51fa\u3068\u5230\u9054\u53ef\u80fd\u6027\u3092\u898b\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002\u3053\u308c\u3089\u306f\u3059\u3079\u3066\u3001\u610f\u5473\u4fdd\u5b58\u306e\u9023\u9396\u3068\u3044\u3046\u540c\u3058\u539f\u7406\u306b\u5f93\u3063\u3066\u3044\u308b\u3002<\/p>\n

\n

29. \u7d50\u8ad6<\/h2>\n

Dirty Frag \u306f\u3001Copy Fail \u306e\u6559\u8a13\u3092\u66f8\u304d\u63db\u3048\u305f\u306e\u3067\u306f\u306a\u3044\u3002Copy Fail \u306e\u6559\u8a13\u3092\u3001\u500b\u5225\u30e2\u30b8\u30e5\u30fc\u30eb\u306e\u5371\u967a\u304b\u3089\u3001\u30ab\u30fc\u30cd\u30eb\u8a2d\u8a08\u4e0a\u306e\u610f\u5473\u4fdd\u5b58\u539f\u7406\u3078\u5f15\u304d\u4e0a\u3052\u305f\u3002Copy Fail \u306e\u6642\u70b9\u3067\u306f\u3001\u554f\u984c\u306f algif_aead\u3001AF_ALG\u3001scatterlist\u3001page cache \u306e\u7d50\u5408\u3068\u3057\u3066\u898b\u3048\u305f\u3002Dirty Frag \u306b\u3088\u3063\u3066\u3001\u540c\u3058\u7a2e\u985e\u306e\u554f\u984c\u304c xfrm-ESP\u3001RxRPC\u3001skb frag\u3001shared frag\u3001in-place decrypt \u306e\u7d50\u5408\u3068\u3057\u3066\u3082\u6210\u7acb\u3059\u308b\u3053\u3068\u304c\u793a\u3055\u308c\u305f\u3002\u5165\u53e3\u306f\u5909\u308f\u3063\u305f\u304c\u3001\u58ca\u308c\u305f\u69cb\u9020\u306f\u540c\u3058\u3067\u3042\u308b\u3002<\/p>\n

\u500b\u5225\u5bfe\u7b56\u306f\u5909\u308f\u308b\u3002Copy Fail \u3067\u306f algif_aead \u304c\u7126\u70b9\u3060\u3063\u305f\u3002Dirty Frag \u3067\u306f esp4\u3001esp6\u3001rxrpc \u304c\u7126\u70b9\u306b\u306a\u308b\u3002Debian\u3001Ubuntu\u3001AlmaLinux\u3001Red Hat \u306a\u3069\u306e\u5bfe\u5fdc\u72b6\u6cc1\u3082\u6642\u9593\u3068\u3068\u3082\u306b\u5909\u308f\u308b\u3002\u3057\u304b\u3057\u3001\u6700\u7d42\u7684\u306b\u4fee\u6b63\u6e08\u307f kernel \u3078\u66f4\u65b0\u3057\u3001\u518d\u8d77\u52d5\u3057\u3001\u5b9f\u969b\u306b\u305d\u306e kernel \u3067\u8d77\u52d5\u3057\u3066\u3044\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3059\u308b\u3068\u3044\u3046\u904b\u7528\u539f\u5247\u306f\u5909\u308f\u3089\u306a\u3044\u3002module blacklist\u3001rmmod\u3001drop_caches \u306f\u3001\u305d\u308c\u305e\u308c\u6709\u7528\u306a\u5834\u9762\u3092\u6301\u3064\u304c\u3001\u6839\u672c\u5bfe\u7b56\u3067\u306f\u306a\u3044\u3002\u6839\u672c\u5bfe\u7b56\u306f\u3001\u58ca\u308c\u305f\u610f\u5473\u4fdd\u5b58\u306e\u7d4c\u8def\u304c\u4fee\u6b63\u3055\u308c\u305f kernel \u3067\u52d5\u304f\u3053\u3068\u3067\u3042\u308b\u3002<\/p>\n

\u6839\u672c\u7684\u306b\u306f\u3001\u5b89\u5168\u6027\u3068\u306f byte \u5217\u306e\u4fdd\u8b77\u3067\u306f\u306a\u304f\u3001byte \u5217\u306b\u4ed8\u968f\u3059\u308b\u610f\u5473\u306e\u4fdd\u5b58\u3067\u3042\u308b\u3002file-backed \u3067\u3042\u308b\u3053\u3068\u3001read-only \u3067\u3042\u308b\u3053\u3068\u3001shared page cache \u3067\u3042\u308b\u3053\u3068\u3001\u5165\u529b\u3067\u3042\u308b\u3053\u3068\u3001\u4f4e\u6a29\u9650\u4e3b\u4f53\u306e\u64cd\u4f5c\u3067\u3042\u308b\u3053\u3068\u3001\u5f8c\u3067 root \u6587\u8108\u3067\u8aad\u307e\u308c\u5f97\u308b\u3053\u3068\u3002\u3053\u308c\u3089\u306e\u610f\u5473\u304c\u30b5\u30d6\u30b7\u30b9\u30c6\u30e0\u5883\u754c\u3092\u8d8a\u3048\u3066\u4fdd\u5b58\u3055\u308c\u308b\u9650\u308a\u3001\u5b89\u5168\u6027\u306f\u7dad\u6301\u3055\u308c\u308b\u3002\u3053\u308c\u3089\u306e\u610f\u5473\u304c\u6700\u9069\u5316\u306b\u3088\u3063\u3066\u5265\u843d\u3057\u305f\u3068\u304d\u3001\u8aad\u307f\u53d6\u308a\u6a29\u9650\u306f\u5b9f\u8cea\u7684\u306a\u66f8\u304d\u63db\u3048\u80fd\u529b\u3078\u5909\u8cea\u3057\u3001LPE \u304c\u6210\u7acb\u3059\u308b\u3002<\/p>\n\n\n\n\n\n\n\n\n\n
\u6700\u7d42\u6559\u8a13<\/th>\n\u610f\u5473<\/th>\n<\/tr>\n<\/thead>\n
\u4e0a\u4f4d\u30ec\u30a4\u30e4\u30fc\u306e\u5236\u7d04\u304c\u3001\u4e0b\u4f4d\u30ec\u30a4\u30e4\u30fc\u306e\u6700\u9069\u5316\u3067\u6d88\u3048\u308b\u5834\u6240\u304c\u5371\u967a\u3067\u3042\u308b\u3002<\/td>\nfile permission\u3001page cache\u3001pipe\u3001scatterlist\u3001skb frag\u3001in-place \u51e6\u7406\u306e\u5883\u754c\u3067\u3001read-only \u3084 shared \u3068\u3044\u3046\u610f\u5473\u304c\u4fdd\u5b58\u3055\u308c\u306a\u3051\u308c\u3070\u3001\u6a29\u9650\u5883\u754c\u306f\u7834\u308c\u308b\u3002<\/td>\n<\/tr>\n
\u66ab\u5b9a\u5bfe\u7b56\u306f\u5165\u53e3\u3092\u585e\u3050\u304c\u3001\u4e0d\u5909\u539f\u7406\u3092\u4fee\u6b63\u3057\u306a\u3044\u3002<\/td>\nalgif_aead\u3001esp4\u3001esp6\u3001rxrpc \u306e\u7121\u52b9\u5316\u306f\u6642\u9593\u7a3c\u304e\u3067\u3042\u308a\u3001\u6700\u7d42\u7684\u306b\u306f\u4fee\u6b63\u6e08\u307f kernel \u3078\u306e\u66f4\u65b0\u3068 reboot \u304c\u5fc5\u8981\u3067\u3042\u308b\u3002<\/td>\n<\/tr>\n
LPE \u306f\u4fb5\u5165\u53e3\u3067\u306f\u306a\u304f\u5897\u5e45\u5668\u3068\u3057\u3066\u8a55\u4fa1\u3059\u308b\u3002<\/td>\nremote exploit \u3067\u306f\u306a\u304f\u3066\u3082\u3001SSH\u3001Web shell\u3001CI runner\u3001container \u306a\u3069\u306e\u4f4e\u6a29\u9650\u5b9f\u884c\u7d4c\u8def\u3068\u7d50\u5408\u3059\u308c\u3070\u3001root \u5316\u306e\u5b9f\u52d9\u7684\u30ea\u30b9\u30af\u306b\u306a\u308b\u3002<\/td>\n<\/tr>\n
CVE \u3067\u306f\u306a\u304f\u9732\u51fa\u3092\u7ba1\u7406\u3059\u308b\u3002<\/td>\n\u8106\u5f31\u6027\u306e\u6570\u304c\u5897\u3048\u308b\u6642\u4ee3\u306b\u306f\u3001CVE \u756a\u53f7\u3084 CVSS \u3060\u3051\u3067\u306a\u304f\u3001\u81ea\u5206\u306e\u74b0\u5883\u3067\u306e\u5230\u9054\u53ef\u80fd\u6027\u3001\u4fee\u6b63\u53ef\u80fd\u6027\u3001\u518d\u8d77\u52d5\u53ef\u80fd\u6027\u3092\u898b\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002<\/td>\n<\/tr>\n
AI \u6642\u4ee3\u306b\u306f bug class \u306e\u6a2a\u5c55\u958b\u3092\u898b\u308b\u3002<\/td>\n\u4e00\u3064\u306e\u8106\u5f31\u6027\u304c\u898b\u3064\u304b\u3063\u305f\u3068\u304d\u3001\u540c\u3058\u4e0d\u5909\u6761\u4ef6\u9055\u53cd\u304c\u5225\u30b5\u30d6\u30b7\u30b9\u30c6\u30e0\u3067\u6210\u7acb\u3057\u306a\u3044\u304b\u3092\u8abf\u3079\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u3057\u305f\u304c\u3063\u3066\u3001Dirty Frag \u304b\u3089\u5f97\u308b\u3079\u304d\u6700\u7d42\u6559\u8a13\u306f\u3001\u6b21\u3067\u3042\u308b\u3002\u4e0a\u4f4d\u30ec\u30a4\u30e4\u30fc\u306e\u5236\u7d04\u304c\u3001\u4e0b\u4f4d\u30ec\u30a4\u30e4\u30fc\u306e\u6700\u9069\u5316\u3067\u6d88\u3048\u308b\u5834\u6240\u304c\u5371\u967a\u3067\u3042\u308b\u3002\u3053\u308c\u306f Copy Fail \u306e\u6642\u70b9\u3067\u3082\u898b\u3048\u3066\u3044\u305f\u304c\u3001Dirty Frag \u306b\u3088\u3063\u3066\u3001\u3088\u308a\u5f37\u304f\u78ba\u8a8d\u3055\u308c\u305f\u3002\u6559\u8a13\u306f\u66f8\u304d\u63db\u308f\u3089\u306a\u3044\u3002\u3080\u3057\u308d\u3001\u4e0d\u5909\u539f\u7406\u3068\u3057\u3066\u5f37\u5316\u3055\u308c\u305f\u3002<\/p>\n

\n

\u53c2\u8003\u6587\u732e<\/h2>\n
    \n
  1. id774, CVE-2026-31431 \u306b\u3064\u3044\u3066\u5fb9\u5e95\u7684\u306b\u8003\u3048\u308b\uff082026-05-06\uff09. https:\/\/blog.id774.net\/entry\/2026\/05\/06\/4730\/<\/a><\/li>\n
  2. V4bel, dirtyfrag. GitHub. https:\/\/github.com\/V4bel\/dirtyfrag<\/a><\/li>\n
  3. V4bel, dirtyfrag\/assets\/write-up.md. GitHub. https:\/\/github.com\/V4bel\/dirtyfrag\/blob\/master\/assets\/write-up.md<\/a><\/li>\n
  4. Microsoft Defender Security Research Team, Active attack: Dirty Frag Linux vulnerability expands post-compromise risk. https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/05\/08\/active-attack-dirty-frag-linux-vulnerability-expands-post-compromise-risk\/<\/a><\/li>\n
  5. Tenable, Dirty Frag (CVE-2026-43284,CVE-2026-43500). https:\/\/www.tenable.com\/blog\/dirty-frag-cve-2026-43284-cve-2026-43500-frequently-asked-questions-linux-kernel-lpe<\/a><\/li>\n
  6. NVD, CVE-2026-43284 Detail. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-43284<\/a><\/li>\n
  7. Debian Security Tracker, CVE-2026-43284. https:\/\/security-tracker.debian.org\/tracker\/CVE-2026-43284<\/a><\/li>\n
  8. Ubuntu, Dirty Frag Linux kernel local privilege escalation vulnerability fixes available. https:\/\/ubuntu.com\/blog\/dirty-frag-linux-vulnerability-fixes-available<\/a><\/li>\n
  9. Ubuntu Security, CVE-2026-43284. https:\/\/ubuntu.com\/security\/CVE-2026-43284<\/a><\/li>\n
  10. Ubuntu Security, CVE-2026-43500. https:\/\/ubuntu.com\/security\/CVE-2026-43500<\/a><\/li>\n
  11. AlmaLinux, Dirty Frag (CVE-2026-43284, CVE-2026-43500). https:\/\/almalinux.org\/blog\/2026-05-07-dirty-frag\/<\/a><\/li>\n
  12. Red Hat, CVE-2026-43284. https:\/\/access.redhat.com\/security\/cve\/cve-2026-43284<\/a><\/li>\n
  13. Sophos, Advisory: Linux Kernel LPE – Dirty Frag. https:\/\/www.sophos.com\/en-us\/security-advisories\/sophos-sa-20260508-dirtyfrag<\/a><\/li>\n
  14. Elastic Security Labs, Copy Fail and DirtyFrag: Linux Page Cache Bugs in the Wild. https:\/\/www.elastic.co\/security-labs\/copy-fail-dirtyfrag-linux-page-bugs-in-the-wild<\/a><\/li>\n
  15. Qualys, Dirty Frag: Using the Page Caches as an Attack Surface. https:\/\/blog.qualys.com\/product-tech\/vulnmgmt-detection-response\/2026\/05\/09\/dirty-frag-using-the-page-caches-as-an-attack-surface<\/a><\/li>\n
  16. CERT-EU, High Vulnerability in the Linux Kernel \u201cCopy Fail\u201d. https:\/\/cert.europa.eu\/publications\/security-advisories\/2026-005\/<\/a><\/li>\n
  17. NVD, CVE-2026-31431 Detail. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-31431<\/a><\/li>\n
  18. Microsoft Defender Security Research Team, CVE-2026-31431: Copy Fail vulnerability enables Linux root privilege escalation across cloud environments. https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/05\/01\/cve-2026-31431-copy-fail-vulnerability-enables-linux-root-privilege-escalation\/<\/a><\/li>\n
  19. Cloudflare, How Cloudflare responded to the \u201cCopy Fail\u201d Linux vulnerability. https:\/\/blog.cloudflare.com\/copy-fail-linux-vulnerability-mitigation\/<\/a><\/li>\n
  20. Linux Kernel Documentation, User Space Interface. https:\/\/docs.kernel.org\/crypto\/userspace-if.html<\/a><\/li>\n
  21. Linux Kernel Documentation, RxRPC Network Protocol. https:\/\/docs.kernel.org\/networking\/rxrpc.html<\/a><\/li>\n
  22. Ubuntu Manpages, rxrpc(7). https:\/\/manpages.ubuntu.com\/manpages\/jammy\/man7\/rxrpc.7.html<\/a><\/li>\n
  23. Linux Kernel Documentation, Linux Networking and Network Devices APIs. https:\/\/docs.kernel.org\/networking\/kapi.html<\/a><\/li>\n
  24. LWN.net, crypto: af_alg – Remove zero-copy support from AF_ALG. https:\/\/lwn.net\/Articles\/1071203\/<\/a><\/li>\n
  25. Sysdig, Dirty Frag (CVE-2026-43284 and CVE-2026-43500). https:\/\/www.sysdig.com\/blog\/dirty-frag-cve-2026-43284-and-cve-2026-43500-detecting-unpatched-local-privilege-escalation-via-linux-kernel-esp-and-rxrpc<\/a><\/li>\n
  26. Wiz, Dirty Frag (CVE-2026-43284) Linux Privilege Escalation. https:\/\/www.wiz.io\/blog\/dirty-frag-linux-kernel-local-privilege-escalation-via-esp-and-rxrpc<\/a><\/li>\n
  27. Unit 42, Copy Fail: What You Need to Know About the Most Severe Linux Kernel Vulnerability. https:\/\/unit42.paloaltonetworks.com\/cve-2026-31431-copy-fail\/<\/a><\/li>\n
  28. Bugcrowd, What we know about Copy Fail (CVE-2026-31431). https:\/\/www.bugcrowd.com\/blog\/what-we-know-about-copy-fail-cve-2026-31431\/<\/a><\/li>\n
  29. Theori, CVE-2026-31431: Copy Fail. https:\/\/theori.io\/blog\/cve-2026-31431-copy-fail<\/a><\/li>\n
  30. CISA, Known Exploited Vulnerabilities Catalog. https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog<\/a><\/li>\n
  31. Tenable, Why the approaching flood of vulnerabilities changes everything \u2014 and what to do about it. https:\/\/www.tenable.com\/blog\/why-the-approaching-flood-of-vulnerabilities-changes-everything-and-what-to-do-about-it<\/a><\/li>\n
  32. id774, Claude Mythos \u306f\u4e16\u754c\u3092\u3069\u3046\u5909\u3048\u305f\u306e\u304b\uff082026-05-08\uff09. https:\/\/blog.id774.net\/entry\/2026\/05\/08\/4737\/<\/a><\/li>\n
  33. id774, Ubuntu 26.04 LTS \u306e\u8a2d\u8a08\u3068\u904b\u7528\u5224\u65ad\uff082026-04-12\uff09. https:\/\/blog.id774.net\/entry\/2026\/04\/12\/4406\/<\/a><\/li>\n
  34. id774, \u30d0\u30c3\u30af\u30a2\u30c3\u30d7\u3068\u306f\u5fa9\u5143\u53ef\u80fd\u6027\u3092\u8a2d\u8a08\u3059\u308b\u3053\u3068\u3067\u3042\u308b\uff082026-05-07\uff09. https:\/\/blog.id774.net\/entry\/2026\/05\/07\/4728\/<\/a><\/li>\n
  35. id774, \u30d0\u30c3\u30af\u30a2\u30c3\u30d7\u30fb\u30ea\u30ab\u30d0\u30ea\u30fc\u6226\u7565\u306b\u304a\u3051\u308b\u7269\u7406\u5a92\u4f53\u7ba1\u7406\u306e\u8003\u3048\u65b9\uff082026-05-10\uff09. https:\/\/blog.id774.net\/entry\/2026\/05\/10\/4743\/<\/a><\/li>\n
  36. id774, \u610f\u5473\u306f\u5dee\u7570\u306e\u8aad\u307f\u53d6\u308a\u304b\u3089\u751f\u307e\u308c\u308b\uff082026-05-09\uff09. https:\/\/blog.id774.net\/entry\/2026\/05\/09\/4740\/<\/a><\/li>\n
  37. id774, \u69cb\u9020\u30fb\u6642\u9593\u30fb\u751f\u547d\u30fb\u610f\u5473\u30fb\u77e5\u80fd\u30fb\u81ea\u5df1\u30fbAI \u3092\u751f\u6210\u9023\u9396\u3068\u3057\u3066\u8aac\u660e\u3059\u308b\uff082026-04-14\uff09. https:\/\/blog.id774.net\/entry\/2026\/04\/14\/4438\/<\/a><\/li>\n
  38. id774, \u89b3\u6e2c\u3092\u60c5\u5831\u66f4\u65b0\u3068\u3057\u3066\u5b9a\u5f0f\u5316\u3059\u308b\u5b87\u5b99\u8ad6\uff082026-03-30\uff09. https:\/\/blog.id774.net\/entry\/2026\/03\/30\/4239\/<\/a><\/li>\n
  39. id774, \u6642\u9593\u306f\u306a\u305c\u4e00\u65b9\u5411\u306b\u9032\u3080\u306e\u304b\uff082026-04-26\uff09. https:\/\/blog.id774.net\/entry\/2026\/04\/26\/4613\/<\/a><\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"

    Copy Fail \u306b\u3064\u3044\u3066\u306f\u65e2\u7a3f\u3067\u3001Linux \u30ab\u30fc\u30cd\u30eb\u306e\u6697\u53f7 API\u3001AF_ALG\u3001algif_aead\u3001AEAD\u3001splice\u3001page cache\u3001scatterlist\u3001setuid root \u30d0\u30a4\u30ca\u30ea\u304c\u7d50\u5408\u3057 … \u7d9a\u304d\u3092\u8aad\u3080<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,24,30,14],"tags":[],"class_list":["post-4753","post","type-post","status-publish","format-standard","hentry","category-math","category-science","category-security","category-tech"],"_links":{"self":[{"href":"https:\/\/blog.id774.net\/entry\/wp-json\/wp\/v2\/posts\/4753","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.id774.net\/entry\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.id774.net\/entry\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.id774.net\/entry\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.id774.net\/entry\/wp-json\/wp\/v2\/comments?post=4753"}],"version-history":[{"count":3,"href":"https:\/\/blog.id774.net\/entry\/wp-json\/wp\/v2\/posts\/4753\/revisions"}],"predecessor-version":[{"id":4756,"href":"https:\/\/blog.id774.net\/entry\/wp-json\/wp\/v2\/posts\/4753\/revisions\/4756"}],"wp:attachment":[{"href":"https:\/\/blog.id774.net\/entry\/wp-json\/wp\/v2\/media?parent=4753"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.id774.net\/entry\/wp-json\/wp\/v2\/categories?post=4753"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.id774.net\/entry\/wp-json\/wp\/v2\/tags?post=4753"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}