kuchokera ku Google lipoti pakuzindikiritsa zovuta 15 zotsatirazi (CVE-2019-19523 - CVE-2019-19537) mu madalaivala a USB operekedwa mu Linux kernel. Ili ndi gulu lachitatu lamavuto omwe amapezeka pakuyesa kwa fuzz kwa stack ya USB mu phukusi - wofufuza yemwe adapatsidwa kale za kukhalapo kwa 29 zofooka.
Nthawi ino mndandandawo umangowonjezera zovuta zomwe zimachitika chifukwa chofikira malo okumbukira omwe adamasulidwa kale (ogwiritsa ntchito-opanda) kapena kutsogola kutayikira kwa data kuchokera ku kukumbukira kwa kernel. Nkhani zomwe zingagwiritsidwe ntchito kuletsa ntchito sizikuphatikizidwa mu lipotilo. Zowonongeka zitha kugwiritsidwa ntchito ngati zida za USB zokonzedwa mwapadera zalumikizidwa ndi kompyuta. Kukonzekera kwamavuto onse omwe atchulidwa mu lipotilo akuphatikizidwa kale mu kernel, koma ena sanaphatikizidwe mu lipotilo. mpaka pano kukhala osakonzedwa.
Zowopsa kwambiri zogwiritsa ntchito pambuyo paulere zomwe zingayambitse kupha kwa code of attacker zachotsedwa mu adutux, ff-memless, ieee802154, pn533, hiddev, iowarrior, mcba_usb ndi madalaivala a yurex. CVE-2019-19532 imatchulanso zovuta 14 mu madalaivala a HID obwera chifukwa cha zolakwika zomwe zimalola kulemba kunja kwa malire. Mavuto adapezeka mu ttusb_dec, pcan_usb_fd ndi pcan_usb_pro madalaivala omwe amatsogolera kutayikira kwa data kuchokera ku kernel memory. Vuto (CVE-2019-19537) chifukwa chamtundu wamtundu wadziwika mu code stack ya USB yogwirira ntchito ndi zida zamakhalidwe.
Mukhozanso kuzindikira
zofooka zinayi (CVE-2019-14895, CVE-2019-14896, CVE-2019-14897, CVE-2019-14901) mu dalaivala wa tchipisi zopanda zingwe za Marvell, zomwe zingayambitse kusefukira kwa buffer. Kuwukirako kumatha kuchitika patali potumiza mafelemu mwanjira inayake polumikizana ndi malo olowera opanda zingwe. Chowopseza kwambiri ndikukana kwakutali kwa ntchito (kuwonongeka kwa kernel), koma kuthekera kwa kupha ma code pa dongosolo sikungathetsedwe.
Source: opennet.ru