An gano wani rauni a cikin Linux kernel (CVE-2022-0847) wanda ke ba da damar sake rubuta abubuwan da ke cikin cache shafin don kowane fayiloli, gami da waɗanda ke cikin yanayin karantawa kawai, buɗe tare da tutar O_RDONLY, ko kuma yana kan tsarin fayil. an saka shi cikin yanayin karantawa kawai. A zahiri, ana iya amfani da rashin lafiyar don shigar da lamba cikin matakai na sabani ko lalata bayanai a cikin fayilolin da aka buɗe. Misali, zaku iya canza abubuwan da ke cikin fayil ɗin izini_keys don tsarin sshd. Akwai samfuri na amfani don gwaji.
Matsalar an sanya mata suna Dirty Pipe, kama da mummunan rauni Dirty COW da aka gano a cikin 2016. An lura cewa dangane da matakin haɗari, Dirty Pipe yana kan matakin Dirty COW, amma yana da sauƙin aiki. An gano raunin da ya faru yayin nazarin koke-koke game da cin hanci da rashawa na lokaci-lokaci na fayilolin da aka zazzage akan hanyar sadarwar a cikin tsarin da ke zazzage ma'ajin bayanai daga uwar garken log (lalata 37 a cikin watanni 3 akan tsarin da aka ɗora), shirye-shiryen wanda yayi amfani da aikin splice () da bututun da ba a bayyana sunansa ba.
Rashin lahani yana bayyana farawa da Linux kernel 5.8, wanda aka saki a watan Agusta 2020, watau. yana cikin Debian 11, amma baya shafar tushen kernel a cikin Ubuntu 20.04 LTS. RHEL 8.x da openSUSE/SUSE 15 kernels sun fara dogara ne akan tsofaffin rassan, amma yana yiwuwa cewa canjin da ke haifar da matsala ya koma cikin su (babu cikakkun bayanai tukuna). Kuna iya bin diddigin buguwar sabuntawar fakiti a cikin rabawa akan waɗannan shafuka: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux. An ba da shawarar gyara ga raunin a cikin sakewa 5.16.11, 5.15.25 da 5.10.102. Ana kuma haɗa gyaran a cikin kernel da ake amfani da shi a dandalin Android.
Rashin lahani yana haifar da rashin ƙaddamar da ƙimar "buf-> flags" a cikin lambar ayyukan copy_page_to_iter_pipe () da kuma push_pipe (), duk da cewa ba a share ƙwaƙwalwar ajiya lokacin rarraba tsarin da kuma lokacin wasu manipulations tare da bututun da ba a ambata ba, ƙima daga wani aiki. Yin amfani da wannan fasalin, mai amfani na gida mara gata zai iya cimma bayyanar ƙimar PIPE_BUF_FLAG_CAN_MERGE a cikin tuta, wanda ke ba ku damar tsara bayanan sake rubutawa a cikin ma'ajin shafin ta hanyar rubuta sabbin bayanai kawai zuwa bututun da ba a bayyana sunansa ba.
Don harin, fayil ɗin da aka yi niyya dole ne a iya karantawa, kuma tun da ba a bincika haƙƙin shiga lokacin rubutawa zuwa bututu, ana iya yin sauyawa a cikin cache shafi don fayilolin da ke cikin ɓangarorin da aka ɗora karantawa kawai (misali, don fayilolin c CD- ROM). Bayan maye gurbin bayanan da ke cikin cache shafi, lokacin karanta bayanai daga fayil, tsarin ba zai karɓi ainihin bayanan ba, amma bayanan da aka maye gurbinsu.
Aiki ya sauko don ƙirƙirar tashar da ba a bayyana sunanta ba tare da cike ta da bayanan sabani don tabbatar da cewa an saita tutar PIPE_BUF_FLAG_CAN_MERGE a duk tsarin zobe masu alaƙa da ita. Bayan haka, ana karanta bayanan daga tashar, amma tuta ta kasance a saita a duk yanayin tsarin pipe_buffer a cikin tsarin zoben pipe_inode_info. Sannan ana yin kira zuwa splice() don karanta bayanai daga fayil ɗin da aka yi niyya zuwa bututun da ba a bayyana sunansa ba, yana farawa daga abin da ake so. Lokacin rubuta bayanai zuwa wannan bututun da ba a bayyana sunansa ba, saboda alamar PIPE_BUF_FLAG_CAN_MERGE da ake saitawa, za a sake rubuta bayanan da ke cikin cache na shafin maimakon ƙirƙirar sabon misali na tsarin pipe_buffer.
source: budenet.ru