Kutshanje, iindaba zaqhambuka kwi-Intanethi malunga nokufunyanwa kwe ubuthathaka obutsha kwiLinux edweliswe njenge "Ubuqatha obuphezulu" obuchaphazela zonke iinkozo ukusukela kwinguqulo 5.8, kunye nezinto eziphuma kuyo, kuquka i-Android.
Yaziwa njenge Umbhobho omdaka, uvumela idatha ukuba ibhalwe ngaphezulu kwiifayile zokufunda kuphela kwaye inokukhokelela ekunyukeni kwamalungelo ngokufaka ikhowudi kwiinkqubo zengcambu.
Nangona sele ikhutshiwe kwi-Linux kernel ephambili, i-bug inokuba zixhobo ngendlela yokuxhaphaka kwamalungelo kuzo zonke izixhobo ezisebenzisa i-Linux kernel version 5.8 okanye kamva.
Kukwathetha ukuba iqela lee-smartphones ezisanda kukhutshwa ze-Android, njenge-Samsung Galaxy S22 kunye ne-Google Pixel 6, zisesichengeni, de isixhobo ngasinye sifumane i-kernel patch efanelekileyo kwi-OEM efanelekileyo.
Malunga noMbhobho omdaka
Ukuba sesichengeni kwaba ityhilwe ngumphandi wokhuseleko uMax Kellerman kwaye ifakwe kwikhathalogu njenge (CVE-2022-0847), kuthathe iinyanga ezimbalwa ukufumana i-process-of-concept exploit.
Ukuba sesichengeni kuvumela umsebenzisi ongenanto ukuba afake kwaye abhale ngaphezulu idatha kwiifayile zokufunda kuphela, kubandakanywa iinkqubo ze-SUID ezisebenza njengengcambu. Igama lesiqhulo libonakala ngathi ngumdlalo wegciwane elidume kakubi Inkomo Engcolileyo kunye nendlela ye Linux ebizwa ngokuba yi pipelining yomyalezo odlulayo phakathi kweenkqubo, kuba le yokugqibela isetyenziswa ngexesha loxhaphazo lwesiqhelo.
Yonke yaqala unyaka odlulileyo kunye netikiti lenkxaso ehambelana neefayile ezonakeleyo. Umthengi wakhalaza ukuba iilogi zofikelelo ezikhutshelweyo azinakucocwa. Kwaye ngenene, bekukho ifayile yelog eyonakeleyo kwenye yeeseva zelog; isenokuthotywa, kodwa i-gzip ibichaza impazamo ye-CRC. Andikwazanga ukuchaza ukuba kutheni inkohlakalo, kodwa ndacinga ukuba inkqubo yokwahlula ebusuku iye yaphuka kwaye yavelisa ifayile eyonakeleyo. Ndayilungisa ngesandla i-CRC yefayile, ndavala itikiti, kwaye ngokukhawuleza ndalibala malunga nomba.
Emva kweenyanga zokuhlalutya, Umphandi ekugqibeleni wafumanisa ukuba iifayile zomxhasi ezonakeleyo ziziphumo ze-bug kwi-Linux kernel. Ufumene indlela yokusebenzisa i-Dirty Pipe ukuvumela nabani na one-akhawunti, kubandakanywa namalungelo angaphantsi "akukho mntu" akhawunti, ukongeza iqhosha le-SSH kwiakhawunti yomsebenzisi weengcambu.
Ukwenza ukuba sesichengeni kusebenze, uKellerman wabelane ngobungqina bakhe bengcinga, umhlaseli kufuneka abe efunde iimvume. Ukongezelela, i-offset ayifanele ibe kumda wephepha, ukubhala akukwazi ukuwela umda wephepha, kwaye ifayile ayikwazi ukutshintshwa.
Ukusebenzisa obu buthathaka, kufuneka: udale umbhobho, ugcwalise umbhobho ngedatha engenamkhethe (ukuseta PIPE_BUF_FLAG_CAN_MERGE iflegi kuwo onke amangeno eringi), gungxula umbhobho (ushiya iseti yeflegi kuzo zonke iimeko zesakhiwo se-pipe_buffer kwisakhiwo seringi) pipe_inode_info ring), dibanisa idatha esuka kwifayile yendawo ekuyiwa kuyo (evulwe nge O_RDONLY) kumbhobho ngaphambi nje kokuba indawo oya kuyo ucime kwaye ubhale idata engavumelekanga kumbhobho.
Umbhobho omdaka uchaphazela nayiphi na inguqulelo ye-Android esekwe kwenye yeenguqulelo ezisesichengeni zeLinux kernel. Kuba i-Android yahlulahlulwe, imodeli yesixhobo esichaphazelekayo ayinakulandelwa ngokufanayo.
Ngokutsho kukaKellermann, UGoogle udibanise izilungiso zebug kunye ne-Android kernel kwinyanga ephelileyo, kanye emva kokuba ilungisiwe ngokukhutshwa kweLinux kernel iinguqulelo 5.16.11, 5.15.25 kunye 5.10.102.
Oko kuthethiweyo, kuya kufuneka silinde ixeshana ngaphambi kokuba ii-OEMs ziqalise ukukhupha uhlaziyo lwe-Android oluqulethe ukulungiswa. I-Pixel 6 kaGoogle, umzekelo, ihlala isesichengeni, kodwa abasebenzisi abaphambili banokuthomalalisa isiphene ngokufaka i-kernel ekhutshiweyo ye-aftermarket yesiko njengokhetho lokubuyela umva.
Abaphuhlisi be-Linux kernel bakhuphe izilungiso (5.16.11, 5.15.25, 5.10.102) ngoFebruwari 23, ngelixa uGoogle etyhala isiziba kwi-Android kernel ngoFebruwari 24. Kellermann kunye nezinye iingcali wathelekisa ukuba sesichengeni CVE-2016-5195 "Inkomo Emdaka" kwaye bathi kulula ngakumbi ukuxhaphaza.
Okokugqibela, ukuba unomdla wokwazi okungakumbi ngayo, unokujonga iinkcukacha Kule khonkco ilandelayo.