An gano wani rauni (CVE-2021-22555) a cikin Netfilter, tsarin tsarin kernel na Linux da ake amfani dashi don tacewa da gyara fakitin cibiyar sadarwa, wanda ke ba mai amfani da gida damar samun tushen gata akan tsarin, gami da yayin da yake cikin keɓaɓɓen akwati. An shirya samfurin aiki na amfani wanda ke ƙetare hanyoyin KASLR, SMAP da SMEP don gwaji. Mai binciken da ya gano raunin ya sami tukuicin $20 daga Google don gano hanyar keɓance keɓancewar kwantena Kubernetes a cikin tarin kCTF.
Matsalar ta kasance tun daga kernel 2.6.19, wanda aka saki shekaru 15 da suka gabata, kuma yana faruwa ne ta hanyar bug a cikin IPT_SO_SET_REPLACE da IP6T_SO_SET_REPLACE masu kula da ke haifar da cikar buffer lokacin aika sigogin da aka tsara musamman ta hanyar kiran setsockopt a cikin yanayin compat. A ƙarƙashin yanayi na al'ada, tushen mai amfani ne kawai zai iya yin kira zuwa compat_setsockopt(), amma gata da ake buƙata don aiwatar da harin kuma za a iya samun gata ta mai amfani mara gata akan tsarin tare da goyan bayan wuraren sunan mai amfani.
Mai amfani zai iya ƙirƙirar akwati tare da tushen mai amfani daban kuma yayi amfani da rauni daga can. Misali, "Sanarwar sunan mai amfani" ana kunna ta tsohuwa akan Ubuntu da Fedora, amma ba'a kunna su akan Debian da RHEL ba. An shigar da facin da ke daidaita raunin cikin kernel na Linux a ranar 13 ga Afrilu. Ayyukan Debian, Arch Linux da Fedora sun riga sun samar da sabuntawar fakitin. A cikin Ubuntu, RHEL da SUSE, sabuntawa suna cikin shiri.
Matsalar tana faruwa a cikin aikin xt_compat_target_from_user() saboda kuskuren lissafin girman ƙwaƙwalwar ajiya lokacin adana tsarin kwaya bayan jujjuya daga wakilcin 32-bit zuwa 64-bit. Kwaro yana ba da damar rubuta bytes mara kyau huɗu zuwa kowane matsayi fiye da abin da aka keɓe wanda aka iyakance ta hanyar 0x4C. Wannan fasalin ya juya ya isa ya ƙirƙiri wani amfani wanda ya ba mutum damar samun haƙƙin tushen - ta hanyar share ma'anar m_list-> na gaba a cikin tsarin msg_msg, an ƙirƙiri yanayi don samun damar bayanai bayan yantar da ƙwaƙwalwar ajiya (amfani-bayan-free), wanda an yi amfani da shi don samun bayanai game da adireshi da canje-canje zuwa wasu sifofi ta hanyar yin amfani da tsarin kiran tsarin msgsnd().
source: budenet.ru