Andrey Konovalov Akafumura 15 Mamwe Mabhodhi MuLinux Kernel USB Dhirairi

Darkcrizt

4 maminitsi

linuxusb

Andrei Konovalov muongorori wezvekuchengetedza Google nguva ichangopfuura yakaburitsa mushumo pamusoro pekuzivikanwa kwe 15 kushushikana (CVE-2019-19523 - CVE-2019-19537) pane madhiraivha e USB akapihwa muLinux kernel. Uyu ndicho chikamu chechitatu chematambudziko anowanikwa panguva yekuyedzwa kwekuyedza yeiyo USB stack mune syzkaller package iyo yaimbove, uyu muongorori anga atozivisa kare 29 kudzvinyirira uye kwatakatotaura kare pano pablog.

Nyaya dzakaburitswa kare dzakatsanangurwa nemuongorori wezvekuchengetedza kuti zvikanganiso izvi zvinogona kushandisirwa kana madhivha eUSB akagadzirirwa mukomputa.

Kurwisa kunogoneka kana paine mukana wekupinda mukomputa uye inogona kutungamira kune imwechete kernel kupunzika, asi kumwe kuratidzwa hakusi kubviswa (semuenzaniso, kune njodzi yakafanana yakaratidzwa mu2016, mutyairi weUSB snd-usbmidi akakwanisa kugadzirira kushandisa kushandisa kodhi padanho re kernel).

Mune uyu mushumo mutsva naAndrey Konovalov, iyo rondedzero inosanganisira chete kushomeka kunokonzerwa nekuwana dzakatoburitswa ndangariro nzvimbo (use-after-free) kana kutungamira kune data leakage kubva kune kernel memory.

Nyaya dzinogona kushandiswa pakuramba sevhisi havana kuisirwa mushumo. Izvo zvinokuvadza zvinogona kuve zvichishandiswa kana zvakagadzirirwa zvakagadzirirwa USB zvishandiso zvakabatana nekombuta. Kugadziriswa kwematambudziko ese ataurwa mushumo kwakatoverengerwa muiyo kernel, asi zvimwe zvipembenene zvisina kuisirwa mushumo hazvisati zvagadziriswa.

Mazhinji madhiri muLinux kernel USB madhiraivha anogona kukonzereswa neyakaipa yekunze USB kadhi yakawanikwa iine syzkaller… Yese mabegi aya akagadziriswa kumusoro kwerwizi (asi mamwe akawanda syzbot USB bugs haasati agadziriswa).

Izvo zvinokuvadza zvakanyanya kushandisa mushure mekusunungura izvo zvinogona kutungamira mukuitwa kwekodhi yekurwisa yakagadziriswa mune madhiraivha adutux, ff-memless, ieee802154, pn533, hiddev, iowarrior, mcba_usb uye yurex.

Pasi peCVE-2019-19532, gumi nemana ekuwedzera kushupika akapfupikiswa mune HID madhiraivha nekuda kwekunze-kwe-miganho zvikanganiso. Vanodzora ttusb_dec, pcan_usb_fd uye pcan_usb_pro vakasangana nematambudziko anotungamira kune data leakage kubva kune kernel memory. Iyo USB stack kodhi yekushanda nehunhu michina yakaratidza nyaya (CVE-2019-19537) inokonzerwa nemamiriro emujaho.

CVE-2019-19523

MuLinux kernel pamberi pa5.3.7, pane kukanganisa kwekushandisa kunogona kukonzerwa neiyo yakaipa USB chishandiso en vatyairi / usb / misc / adutux.c, inozivikanwawo seCID-44efc269db79.

CVE-2019-19524

MuLinux kernel pamberi pa5.3.12, pane kukanganisa kwekushandisa kunogona kukonzereswa neyakaipisisa USB chishandiso mu /input/ff-memless.c mutyairi, inozivikanwawo seCID-fa3a5a1880c9.

CVE-2019-19532

MuLinux kernel pamberi pa5.3.9, pane akawanda kunze kwemiganhu nyora zvikanganiso izvo zvinogona kukonzerwa neyakaipa USB chishandiso muLinux kernel HID madhiraivha, inozivikanwawo seCID-d9d4b1e46d95. Izvi zvinokanganisa:

drivers / hid / hid-axff.c, drivers / hid / hid-dr.c, vatyairi / vakavanda / hid-emsff.c

driver / hid / hid-gaff.c, drivers / hid / hid-holtekff.c

driver / hid / hid-lg2ff.c, drivers / hid / hid-lg3ff.c

driver / hid / hid-lg4ff.c, drivers / hid / hid-lgff.c

drivers / hid / hid-logitech-hidpp.c, drivers / hid / hid-Microsoft.c

driver / hid / hid-sony.c, driver / hid / hid-tmff.c

driver / hid / hid-zpff.c.

Isu tinogona zvakare kucherechedza kuoneswa kweanokuvadzwa mana (CVE-2019-14895, CVE-2019-14896, CVE-2019-14897, CVE-2019-14901) pane mutungamiriri weMarvell wireless chips, izvo zvinogona kukonzera buffer kufashukira.

Kurwisa kunogona kuitwa kure kutumira mafuremu akaumbwa neimwe nzira kana uchibatanidza kune inorwisa isina waya yekuwana poindi. Icho chingangotyisidzira ndiko kuramba basa riri kure (kernel crash), asi mukana wekumhanyisa kodhi pane ino system haubvisirwe kunze.

Parizvino matambudziko anoramba asina kugadziriswa ayo akange atoburitswa mazuva akati wandei apfuura mukuparadzirwa (Debian, Ubuntu, Fedora, RHEL, SUSE) vari kutoshanda kugadzirisa zvikanganiso. Kunyangwe chigamba chatove chakarongedzerwa kuti chiiswe muLinux Kernel yeshanduro dzinotevera.

Kana iwe uchida kuziva zvakawanda nezve zvikanganiso zvakawanikwa, unogona kutarisa iro rekutanga chinyorwa mu next link uye izvi imwe link.


Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa. Raida minda anozivikanwa ne *

*

*

  1. Inotarisira data: AB Internet Networks 2008 SL
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako

  1.   Aritz akadaro
    inoita 4 makore

    "MuLinux kernel pamberi pa5.3.9, pane dzakawanda kunze kwemiganhu nyora zvikanganiso". Ndokumbirawo ugadzirise, David.

    Pindura kuna Aritz