'Yan kwanaki da suka gabata an fitar da labari cewa an gano raunin (wanda aka riga aka rubuta a ƙarƙashin CVE-2022-0185) dan tsarin tsarin fayil API bayar da kwayar linux wanda zai iya bawa mai amfani da gida damar samun tushen gata akan tsarin.
An ambata cewa Matsalar ita ce mai amfani ba tare da gata ba zai iya samun irin waɗannan izini a cikin keɓeccen akwati idan an kunna goyan bayan wuraren sunaye akan tsarin.
Misali, ana kunna wuraren sunan mai amfani ta tsohuwa akan Ubuntu da Fedora, amma ba a kunna su akan Debian da RHEL (sai dai idan an yi amfani da dandamalin keɓewar akwati). Baya ga haɓaka gata, ana iya amfani da rashin lafiyar don fita daga cikin keɓe idan kwandon yana da ikon CAP_SYS_ADMIN.
Ularfafawa yana cikin aikin legacy_parse_param() a cikin VFS kuma saboda rashin ingantaccen inganci na matsakaicin girman sigogin da aka kawo akan tsarin fayil waɗanda basa goyan bayan tsarin tsarin fayil API.
Kwanan nan abokai da yawa akan ƙungiyar 'yan Salibiyya ta CTF na Rust kuma na ci karo da tulin kernel Linux na kwanaki 0. Mun sami kwaro ta hanyar fuzzing tare da syzkaller kuma da sauri haɓaka shi zuwa amfani da Ubuntu LPE. Sa'an nan kuma mu sake rubuta shi don kuɓuta da tushen kayan aikin Kubernetes CTF na Google mai taurin kai. Wannan kwaro yana shafar duk nau'ikan kwaya tun daga 5.1 (5.16 a halin yanzu yana kan ci gaba) kuma an sanya shi CVE-2022-0185. Mun riga mun ba da rahoton wannan ga rarrabawar Linux da jerin imel ɗin tsaro, kuma an gyara kwaro kamar yadda aka fitar da wannan labarin.
Wucewa babban siga na iya haifar da ambaliya na ma'aunin lamba da aka yi amfani da shi don ƙididdige girman bayanan da ake rubutawa; lambar tana da "idan (len> PAGE_SIZE - 2 - size)" dubawar buffer ambaliya, wanda ba ya aiki idan girman girman girman ya wuce 4094 saboda ambaton lamba ta cikin ƙananan iyaka (yawan lamba, lokacin da ya canza 4096 - 2 - 4095 zuwa int mara izini, yana samun 2147483648).
Wannan kwaro yana ba da damar, lokacin samun damar yin amfani da hoton FS na musamman, haifar da cikar buffer da sake rubuta bayanan kwaya ta bin yankin da aka keɓe. Don cin gajiyar raunin, ana buƙatar haƙƙin CAP_SYS_ADMIN, watau ikon gudanarwa.
Tun daga 2022, abokan wasanmu sun yanke shawarar samun ranar 0 a cikin 2022. Ba mu da tabbacin yadda za mu fara, amma tunda ƙungiyarmu tana da masaniya sosai game da raunin kwaya na Linux, mun yanke shawarar siyan wasu sabar sadaukarwa kawai. kuma gudanar da fuzzer na syzkaller na Google. A ranar 6 ga Janairu da ƙarfe 22:30 na yamma PST, chop0 ta sami rahoton gazawar KASAN a gadon_parse_param: slab-of-bounds Rubuta cikin legacy_parse_param. Da alama syzbot ya sami wannan matsalar kwanaki 6 kacal da suka gabata lokacin da yake fuzzing Android, amma ba a magance matsalar ba kuma mun yi tunanin cewa babu wanda ya lura.
A ƙarshe, yana da kyau a faɗi cewa matsalar tana bayyana kanta tun daga nau'in kernel Linux 5.1 kuma an warware shi a cikin sabuntawar da aka saki kwanakin baya a cikin nau'ikan 5.16.2, 5.15.16, 5.10.93, 5.4.173.
Bayan haka An riga an fitar da sabuntawar fakitin rauni para RHEL, Debian, fedora da Ubuntu. Yayin da har yanzu ba a samu maganin a ciki ba Arch Linux, Gentoo, SUSE y karaSURA.
A cikin yanayin waɗannan, an ambaci cewa azaman hanyar tsaro don tsarin da ba sa amfani da keɓewar akwati, zaku iya saita ƙimar sysctl "user.max_user_namespaces" zuwa 0:
Mai binciken da ya gano matsalar ya buga demo na amfani qUE yana ba da damar lambar gudu azaman tushen akan Ubuntu 20.04 a cikin saitunan tsoho. An shirya hakan Ana buga lambar amfani akan GitHub a cikin mako guda bayan cewa rarrabawa yana fitar da sabuntawa wanda ke gyara raunin.
Finalmente idan kuna sha'awar ƙarin sani game da shi, zaku iya bincika cikakkun bayanai a cikin bin hanyar haɗi.
Har ila yau wani dalili na rashin taɓa karye da sanda.