Muva nje lezi zindaba zikhishwe kwi-net yokutholwa kwe ubungozi obusha ku-Linux ebhalwe njenge "Ukuqina Okuphezulu" okuthinta zonke izinhlamvu kusukela kunguqulo 5.8, kanye nokuphuma kokunye, okuhlanganisa i-Android.
Waziwa ngokuthi I-Dirty Pipe ivumela idatha ukuthi ibhalwe phezu kwamafayela okufunda kuphela futhi ingaholela ekwandeni kwamalungelo ngokufaka ikhodi kuzinqubo "zempande".
Yize isivele ifakwe nezichibiyelo ku-mainline Linux kernel, isiphazamisi singahlonyiswa ngendlela yokwenyuka kwelungelo kuwo wonke amadivayisi asebenzisa inguqulo ye-Linux kernel 5.8 noma kamuva.
Kusho futhi ukuthi inqwaba yama-smartphones e-Android asanda kukhishwa, njenge-Samsung Galaxy S22 ne-Google Pixel 6, nawo asengozini, kuze kube yilapho idivayisi ngayinye ithola i-kernel patch efanele ku-OEM efanele.
Mayelana Nepayipi Elingcolile
Ukuba sengozini kwaba kwembulwe umcwaningi wezokuphepha uMax Kellerman futhi ifakwe kuhlu njenge-(CVE-2022-0847), kuthathe izinyanga ezimbalwa ukuthola ukuxhashazwa kobufakazi bomqondo.
Ukuba sengozini kuvumela umsebenzisi ongenalo ilungelo ukuthi afake futhi abhale ngaphezulu idatha kumafayela okufunda kuphela, okuhlanganisa nezinqubo ze-SUID ezisebenza njengempande. Isidlaliso esivamile sibonakala siwumdlalo wesiphazamisi esidume kabi Inkomo Engcolile kanye nendlela ye-Linux ebizwa ngokuthi i-pipelining yokudlulisa umlayezo wokucubungula, njengoba lokhu kwakamuva kusetshenziswa phakathi nenqubo yokuxhaphaza.
Konke kwaqala ngonyaka odlule ngethikithi lokusekela elihlobene namafayela owonakele. Ikhasimende likhononde ngokuthi amalogi okufinyelela alandiwe awakwazanga ukupakishwa. Futhi ngempela, kwakukhona ifayela lokungena elonakele kwenye yeseva yelogi; ingahle ingacindezelwa, kodwa i-gzip ibike iphutha le-CRC. Angikwazanga ukuchaza ukuthi kungani yonakele, kodwa ngacabanga ukuthi inqubo yokuhlukanisa ebusuku yayiphahlazekile futhi yakhiqiza ifayela elonakele. Ngalungisa mathupha i-CRC yefayela, ngavala ithikithi, futhi ngokushesha ngakhohlwa inkinga.
Ngemva kwezinyanga zokuhlaziya, umcwaningi ekugcineni wathola ukuthi amafayela eklayenti eyonakele abe umphumela wesiphazamisi ku-Linux kernel. Uthole indlela yokusebenzisa i-Dirty Pipe ukuze avumele noma ubani one-akhawunti, okuhlanganisa nama-akhawunti "akekho" angenalungelo, ukwengeza ukhiye we-SSH ku-akhawunti yomsebenzisi oyimpande.
Ukuze acuphe ukuba sengozini, u-Kellerman wabelane ngobufakazi bakhe bomqondo, umhlaseli kufanele abe nezimvume ezifundile. Futhi, ukuskrola akumele kube semngceleni wekhasi, ukubhala akukwazi ukweqa umngcele wekhasi, futhi ifayela alinakushintshwa usayizi.
Ukuze usebenzise lobu sengozini, kufanele: udale ipayipi, ugcwalise ipayipi ngedatha engaqondile (ngokusetha ifulegi le-PIPE_BUF_FLAG_CAN_MERGE kukho konke okufakiwe kuringi), uthulule ipayipi (ushiye ifulegi limiswe kuzo zonke izimo zesakhiwo se-pipe_buffer esakhiweni. wendandatho ye-pipe_inode_info), hlanganisa idatha esuka efayeleni eliqondiwe (elivulwe ngokuthi O_RDONLY) uyifake epayipini ngaphambi nje kokucisha okuqondiwe, bese ubhala idatha engafanele epayipini.
I-Dirty Pipe iphinda ithinte noma iyiphi inguqulo ye-Android esekelwe kwenye yezinguqulo ezisengozini ye-Linux kernel. Ngenxa yokuthi i-Android ihlukene kakhulu, amamodeli edivayisi athintekile awakwazi ukulandelelwa ngokufana.
Ngokusho kukaKellerman, I-Google ihlanganise ukulungiswa kwayo kwesiphazamisi ne-Android kernel ngenyanga edlule, ngemuva nje kokuthi ilungiswe ngokukhishwa kwezinguqulo ze-Linux kernel 5.16.11, 5.15.25 kanye no-5.10.102.
Sengikushilo lokho, kuzodingeka silinde kancane ngaphambi kokuthi ama-OEM aqale ukukhipha izibuyekezo ze-Android eziqukethe ukulungiswa. I-Pixel 6 yakwaGoogle, ngokwesibonelo, isesengcupheni, kodwa abasebenzisi abathuthukile banganciphisa iphutha ngokufaka i-kernel ye-aftermarket efakwe ngokwezifiso njengenye inketho.
Abathuthukisi be-Linux kernel bakhiphe ukulungiswa (5.16.11, 5.15.25, 5.10.102) ngoFebhuwari 23, ngenkathi i-Google ipeyisha i-Android kernel ngoFebhuwari 24. U-Kellermann kanye nabanye ochwepheshe baqhathanisa ubungozi CVE-2016-5195 “Inkomo Engcolile” futhi bathi kulula nakakhulu ukuxhaphaza.
Ekugcineni, uma unentshisekelo yokwazi kabanzi ngakho, ungaxhumana nemininingwane Kulesi sixhumanisi esilandelayo.