An gano raunin guda biyu a cikin kwayayen Linux. Waɗannan raunin suna kama da raunin Copy Fail da aka bayyana kwanaki da suka gabata, amma suna shafar tsarin aiki daban-daban - xfrm-ESP da RxRPC. An sanya wa wannan jerin raunin suna Dirty Frag (wanda kuma aka sani da Copy Fail 2). Waɗannan raunin suna ba wa mai amfani mara gata damar samun gata ta hanyar sake rubuta bayanan tsari a cikin ma'ajiyar shafi. Akwai wani amfani da ke aiki akan duk rarrabawar Linux na yanzu. An bayyana raunin kafin a buga faci, amma akwai mafita.
Dirty Frag ya ƙunshi rauni guda biyu daban-daban: na farko a cikin tsarin xfrm-ESP, wanda ake amfani da shi don hanzarta ayyukan ɓoye IPsec ta amfani da yarjejeniyar ESP (Encapsulating Security Payload), da na biyu a cikin direban RxRPC, wanda ke aiwatar da dangin soket na AF_RXRPC da yarjejeniyar RPC iri ɗaya, yana gudana akan UDP. Kowace rauni, wanda aka ɗauka daban, yana ba da damar gata ga tushen. Rashin lafiyar xfrm-ESP ya kasance a cikin ƙwayar Linux tun Janairu 2017, kuma raunin RxRPC ya kasance tun Yuni 2023. Duk matsalolin biyu suna faruwa ne ta hanyar ingantawa waɗanda ke ba da damar rubutawa kai tsaye zuwa cache na shafi.
Domin amfani da raunin xfrm-ESP, dole ne mai amfani ya sami izinin ƙirƙirar wuraren suna, kuma don amfani da raunin RxRPC, dole ne a ɗora module ɗin kernel na rxrpc.ko. Misali, a cikin Ubuntu, dokokin AppArmor suna hana masu amfani marasa gata ƙirƙirar wuraren suna, amma ana loda module ɗin rxrpc.ko ta hanyar tsoho. Wasu rarrabawa ba su da module ɗin rxrpc.ko amma ba sa toshe ƙirƙirar wuraren suna. Mai binciken da ya gano matsalar ya ƙirƙiri wani haɗin gwiwa wanda zai iya kai hari ga tsarin ta hanyar raunin biyu, wanda hakan zai sa ya yiwu a yi amfani da matsalar a duk manyan rarrabawa. An tabbatar da cewa wannan amfani yana aiki akan Ubuntu 24.04.4 tare da kernel 6.17.0-23, RHEL 10.1 tare da kernel 6.12.0-124.49.1, openSUSE Tumbleweed tare da kernel 7.0.2-1, CentOS Stream 10 tare da kernel 6.12.0-224, AlmaLinux 10 tare da kernel 6.12.0-124.52.3, da Fedora 44 tare da kernel 6.19.14-300.
Kamar yadda yake da raunin Kwafi Fail, matsalolin da ke cikin xfrm-ESP da RxRPC suna faruwa ne ta hanyar ɓoye bayanai a cikin wurin ta amfani da aikin splice(), wanda ke canja wurin bayanai tsakanin masu bayanin fayiloli da bututu ba tare da kwafi ba, ta hanyar wucewar nassoshi zuwa abubuwan da ke cikin cache na shafi. An ƙididdige abubuwan da aka gyara ba tare da ingantaccen bincike ba don la'akari da amfani da nassoshi kai tsaye ga abubuwan da ke cikin cache na shafi, wanda ke ba da damar buƙatun da aka ƙera musamman don sake rubuta bytes 4 a wani takamaiman offset da kuma gyara abubuwan da ke cikin kowane fayil a cikin cache na shafi.
Duk ayyukan karanta fayiloli suna dawo da abubuwan da ke cikin cache ɗin shafin da farko. Idan an gyara bayanai a cikin cache ɗin shafin, ayyukan karanta fayiloli za su dawo da bayanan da aka maye gurbinsu, ba ainihin bayanan da aka adana a kan drive ɗin ba. Amfani da raunin yana ta'azzara zuwa ga gyara cache ɗin shafi don fayil ɗin da za a iya aiwatarwa tare da tutar tushen suid. Misali, don samun gata na tushen, mutum zai iya karanta fayil ɗin da za a iya aiwatarwa /usr/bin/su don sanya shi a cikin cache ɗin shafin, sannan ya maye gurbin lambarsa da abubuwan da ke cikin wannan fayil ɗin da aka ɗora a cikin cache ɗin shafin. Aiwatar da kayan aikin "su" na gaba zai haifar da kwafin da aka gyara daga cache ɗin shafin da aka ɗora a cikin ƙwaƙwalwa, ba fayil ɗin da za a iya aiwatarwa na asali daga drive ɗin ba.
An shirya bayyana raunin da kuma sakin faci a ranar 12 ga Mayu, amma saboda ɓullar bayanai, dole ne a buga bayanan raunin kafin a fitar da faci. A ƙarshen Afrilu, an saka faci don rxrpc, ipsec, da xfrm a cikin jerin aika saƙonnin jama'a na netdev ba tare da ambaton cewa suna da alaƙa da raunin ba. A ranar 5 ga Mayu, mai kula da tsarin IPsec ya karɓi canji zuwa ma'ajiyar netdev Git tare da shawarar gyara a cikin tsarin xfrm-esp. Bayanin canjin ya yi daidai da bayanin matsalar da ta haifar da raunin Copy Fail a cikin tsarin algif_aead. Wani mai bincike kan tsaro ya sami sha'awar wannan gyara, ya sami nasarar ƙirƙirar wani aiki mai amfani, kuma ya buga shi, ba tare da sanin cewa an sanya takunkumi kan bayyana bayanai game da matsalar ba har zuwa 12 ga Mayu.
Ba a buga sabuntawa tare da gyara ga fakitin Linux na kernel da kernel a cikin rarrabawa ba tukuna, amma faci da ke magance matsalolin suna nan - xfrm-esp da rxrpc. Ba a sanya masu gano CVE ba, wanda ke rikitar da bin diddigin sabuntawar fakiti a cikin rarrabawa. A matsayin mafita, zaku iya toshe loda kayan aikin kernel na esp4, esp6, da rxrpc: sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"
source: budenet.ru
