Masu bincike daga ƙungiyar Google Project Zero sun fito kwanan nan ta hanyar rubutun blog sabuwar hanyar yin amfani da raunin rauni (CVE-2020-29661) a cikin aiwatar da mai kula da ioctl TIOCSPGRP na Linux kernel tty subsystem, da kuma cikakkun hanyoyin kariya waɗanda zasu iya toshe waɗannan raunin.
An ambata a cikin post cewa matsalar tana faruwa ne sakamakon kuskure a cikin saitunan kullewa, yana haifar da yanayin tsere a cikin lambar /tty/tty_jobctrl.c, wanda aka yi amfani da shi don ƙirƙirar yanayi don samun damar ƙwaƙwalwar ajiya bayan ƙaddamarwa (amfani-bayan-kyauta), wanda aka yi amfani da shi ta hanyar amfani da sararin samaniya ta hanyar magudi tare da ioct- ta hanyar kiran TIOCSPGRP.
Baya ga bayanan da aka buga, kuma an yi demo na amfani mai aiki ga gata karuwa a Debian 10 tare da kwaya 4.19.0-13-amd64 wanda kuma ba ya kawar da cewa zai iya shafar rarraba daban-daban, daga cikinsu akwai wadanda aka samo asali daga Debian.
Yawancin dabarun cin gajiyar ɗaiɗaikun ɗaiɗaiku da zaɓuɓɓukan ragewa waɗanda nake kwatantawa a nan ba labari ba ne. Koyaya, ina tsammanin yana da kyau a rubuta su tare don nuna yadda raguwa daban-daban ke hulɗa tare da cin zarafi na yau da kullun na yau da kullun.
snippets code a cikin wannan shafin yanar gizon da suka dace da cin zarafi ana ɗaukar su daga sigar da ta gabata 4.19.160, saboda abin da manufa ta Debian kernel ta dogara akan; wasu snippets code daga Linux mainline.
A lokaci guda, a cikin labarin da aka buga. girmamawa ba sosai a kan fasaha na ƙirƙirar amfani mai aiki ba, amma akan waɗanne kayan aikin wanzu a cikin kwaya don kare kanka a kan irin wannan rauni.
Ƙarshen abin takaici ne. kamar yadda aka ambata cewa hanyoyin kamar rarraba ƙwaƙwalwar ajiya a cikin tudu da sarrafa damar yin amfani da ƙwaƙwalwar ajiya bayan an sake shi ba a aiwatar da su a aikace ba yayin da suke haifar da lalacewar aiki da kariyar bisa CFI (Control Flow Integrity), wanda ke toshe amfani a baya. matakan kai hari, yana buƙatar haɓakawa.
Nau'in na'urar tasha ta musamman shine pseudo-terminals, waɗanda ake amfani da su lokacin, alal misali, ka buɗe aikace-aikacen tasha a cikin yanayin hoto ko haɗa zuwa na'ura mai nisa ta hanyar SSH. Yayin da sauran na'urorin tasha suna haɗe zuwa wasu nau'ikan kayan aiki, duka ƙarshen tasha-tashar ana sarrafa su ta sararin mai amfani, kuma sararin mai amfani na iya ƙirƙira ƙaƙƙarfan tashoshi kyauta (ba tare da gata ba).
A duk lokacin da aka buɗe / dev / ptmx (gajeren "pseudo-terminal multiplexer"), sakamakon bayanin fayil ɗin yana wakiltar gefen na'urar (ana nufin a cikin takaddun bayanai da tushen kernel a matsayin "manyan pseudo-terminal") na na'ura. sabon pseudo. tasha.
Na'urar tasha mai dacewa (wanda harsashi yakan haɗa shi) ana ƙirƙira ta atomatik ta kernel ƙarƙashin / dev / pts / .
Lokacin kallon abin da zai iya haifar da bambanci a cikin dogon lokaci, an fi mayar da hankali kan yin amfani da na'urori masu mahimmanci ko amfani da harsuna masu aminci kamar Rust da C tare da karin bayani (kamar tabbatar da C) don gina masu duba matsayi, makullai, abubuwa da masu nuni. Hanyoyin kariyar kuma sun ambaci kunna yanayin tsoro_on_oops, yin tsarin kernel karantawa kawai da hana samun damar kiran tsarin ta hanyoyin kamar seccomp.
Kuskuren da ke haifar da matsala an gyara shi a cikin kernel Linux a ranar Dec 3rd na bara. Matsalar yana bayyana kansa a cikin kernels kafin sigar 5.9.13, amma yawancin rarrabawa sun gyara matsalar a cikin sabunta fakitin kernel da aka bayar a bara.
Hakanan an ambaci irin wannan rauni (CVE-2020-29660) wanda aka samo a lokaci guda a cikin aiwatar da kiran ioctl na TIOCGSID, amma kuma an cire shi a ko'ina.
Finalmente Idan kuna da sha'awar sanin game da shi, zaka iya duba bayanan A cikin mahaɗin mai zuwa.