Umbhobho omdaka, obona buthathaka bunzulu kwiminyaka kwiLinux

Kutshanje iindaba zikhutshwe kumnatha wokufunyanwa kwe ubuthathaka obutsha kwiLinux edweliswe njenge "Ubungqongqo obuphezulu" obuchaphazela zonke iinkozo ukusukela kwinguqulo 5.8, kunye nezinto eziphuma kuyo, kuquka i-Android.

Yaziwa njenge Umbhobho omdaka uvumela idatha ukuba ibhalwe ngaphezulu kwiifayile zokufunda kuphela kwaye inokukhokelela ekunyukeni kwamalungelo ngokufaka ikhowudi kwiinkqubo "zengcambu".

Nangona sele ikhutshiwe kwi-Linux kernel engundoqo, i-bug inokuba zixhobo ngendlela yelungelo lokunyuka lokuxhaphaza kuzo zonke izixhobo ezisebenzisa i-Linux kernel version 5.8 okanye kamva.

Kukwathetha ukuba iqela lee-smartphones ezisanda kukhutshwa ze-Android, njenge-Samsung Galaxy S22 kunye ne-Google Pixel 6, zisesichengeni, de isixhobo ngasinye sifumane i-kernel patch efanelekileyo kwi-OEM efanelekileyo.

Malunga noMbhobho omdaka

Ukuba sesichengeni kwaba ityhilwe ngumphandi wokhuseleko uMax Kellerman kwaye ifakwe kwikhathalogu njenge (CVE-2022-0847), kuthathe iinyanga ezimbalwa ukufumana i-process-of-concept exploit.

Ukuba sesichengeni kuvumela umsebenzisi ongafanelekanga ukuba afake kwaye abhale ngaphezulu idatha kwiifayile zokufunda kuphela, kubandakanywa iinkqubo ze-SUID ezisebenza njengengcambu. Igama lesidlaliso eliqhelekileyo libonakala lidlala kwi-bug edume kakubi Inkomo Engcolileyo kunye nendlela ye Linux ebizwa ngokuba yi pipelining yogqithiso lomyalezo, njengoko umva usetyenziswa ngexesha lesiqhelo lokuxhaphaza.

Yonke yaqala unyaka odlulileyo kunye netikiti lenkxaso ehambelana neefayile ezonakeleyo. Umthengi wakhalaza ngelithi iilogi zofikelelo ezikhutshelweyo azinakucocwa. Kwaye ngenene, bekukho ifayile yelog eyonakeleyo kwenye yeeseva zelog; isenokungacinezelwa, kodwa i-gzip ichaze impazamo ye-CRC. Andikwazanga ukucacisa ukuba kutheni yonakele, kodwa ndacinga ukuba inkqubo yokwahlula ebusuku iye yantlitheka kwaye yavelisa ifayile eyonakeleyo. Ndayilungisa ngesandla i-CRC yefayile, ndavala itikiti kwaye ndalibala ngokukhawuleza malunga nengxaki.

Emva kweenyanga zokuhlalutya, Umphandi ekugqibeleni wafumanisa ukuba iifayile zomxhasi ezonakeleyo ziziphumo zebug kwi-Linux kernel. Ufumene indlela yokusebenzisa i-Dirty Pipe ukuvumela nabani na one-akhawunti, kubandakanywa namalungelo angaphantsi "akukho mntu" akhawunti, ukongeza iqhosha le-SSH kwi-akhawunti yomsebenzisi weengcambu.

Ukuqala ukuba sesichengeni, uKellerman wabelane ngobungqina bakhe bengcinga, umhlaseli kufuneka abe ufunde iimvume. Kwakhona, ukuskrola akufuneki kube kumda wephepha, ukubhala akunako ukuwela umda wephepha, kwaye ifayile ayinakuphinda iphindwe.

Ukuxhaphaza obu buthathaka, kufuneka: udale umbhobho, ugcwalise umbhobho ngedatha engenamkhethe (ngokusetha iflegi yePIPE_BUF_FLAG_CAN_MERGE kuwo onke amangeno akwiringi), ukhuphe umbhobho (ushiya iseti yeflegi kuzo zonke iimeko zesakhiwo se-pipe_buffer kwisakhiwo wombhobho_inode_info ring), dibanisa idatha esuka kwifayile ekujoliswe kuyo (evulwe nge-O_RDONLY) kumbhobho ngaphambi nje kokunciphisa okujoliswe kuko, kwaye ubhale idatha engafanelekanga kumbhobho.

Umbhobho omdaka uchaphazela nayiphi na inguqulelo ye-Android esekwe kwenye yeenguqulelo ezisesichengeni zeLinux kernel. Ngenxa yokuba i-Android yahlukene kakhulu, iimodeli zesixhobo esichaphazelekayo azikwazi ukulandelwa ngokufanayo.

Ngokutsho kukaKellerman, UGoogle udibanise ukulungiswa kwebug kunye ne-Android kernel kwinyanga ephelileyo, kanye emva kokuba ilungisiwe ngokukhutshwa kweLinux kernel iinguqulelo 5.16.11, 5.15.25 kunye 5.10.102.

Sele siyithethile loo nto, kuya kufuneka silinde kancinci ngaphambi kokuba ii-OEMs ziqalise ukukhupha uhlaziyo lwe-Android oluqulethe ukulungiswa. I-Pixel 6 kaGoogle, umzekelo, isesichengeni, kodwa abasebenzisi abaphambili banokuthomalalisa isiphene ngokufaka ikernel ekhutshiweyo yasemva kwentengiso njengenye indlela.

Abaphuhlisi be-Linux kernel bakhuphe izilungiso (5.16.11, 5.15.25, 5.10.102) ngoFebruwari 23, ngelixa uGoogle wabhaca i-Android kernel ngoFebruwari 24. Kellermann kunye nezinye iingcali wathelekisa ukuba sesichengeni CVE-2016-5195 "Inkomo Emdaka" kwaye bathi kulula ngakumbi ukuxhaphaza.

Okokugqibela, ukuba unomdla wokwazi okungakumbi ngayo, unokujonga iinkcukacha Kule khonkco ilandelayo.


Umxholo wenqaku uyabambelela kwimigaqo yethu imigaqo yokuziphatha yokuhlela. Ukuxela impazamo cofa apha.

Yiba ngowokuqala ukuphawula

Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa.

*

*

  1. Uxanduva lwedatha: UMiguel Ángel Gatón
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.