Greg Kroah-Hartman, yemwe ali ndi udindo woyang'anira nthambi yokhazikika ya Linux kernel, adaganiza zoletsa kuvomereza kusintha kulikonse kochokera ku University of Minnesota kupita ku Linux kernel, komanso kubweza zigamba zonse zomwe zidavomerezedwa kale ndikuziwunikanso. Chifukwa chotsekereza chinali ntchito za gulu lofufuza lomwe likuphunzira kuthekera kolimbikitsa zofooka zobisika mu code yamapulojekiti otseguka. Gululi lidapereka zigamba zomwe zimakhala ndi mitundu yosiyanasiyana ya nsikidzi, kuwona momwe anthu ammudzi amachitira, ndipo adaphunzira njira zowonera momwe angasinthire. Malinga ndi a Greg, kuchita zoyeserera zotere kuti abweretse masinthidwe oyipa ndikosayenera komanso kosayenera.
Chifukwa chotsekereza chinali chakuti mamembala a gululi adatumiza chigamba chomwe chinawonjezera cheke cholozera kuti athetse kuyimba kwapawiri kwa ntchito ya "ufulu". Poganizira nkhani ya kugwiritsidwa ntchito kwa cholozera, chekecho chinali chopanda pake. Cholinga chotumiza chigambacho chinali kuwona ngati kusintha kolakwika kungapitirizidwe ndi opanga kernel. Kuphatikiza pa chigamba ichi, zoyesayesa zina za otukula kuchokera ku yunivesite ya Minnesota zachitika kuti asinthe zokayikitsa pa kernel, kuphatikiza zomwe zikugwirizana ndi kuwonjezera ziwopsezo zobisika.
Wogwira nawo ntchito yemwe adatumiza zigambazo adayesa kudzilungamitsa ponena kuti akuyesa static analyzer yatsopano ndipo kusinthako kunakonzedwa malinga ndi zotsatira za kuyesa mmenemo. Koma Greg adawunikiranso mfundo yoti zokonza zomwe zakonzedwa sizofanana ndi zolakwika zomwe zapezedwa ndi osanthula osasunthika, ndipo zigamba zonse zotumizidwa sizikonza kalikonse. Popeza kuti gulu lofufuza lomwe likufunsidwalo layesa kukankhira zigamba za zofooka zobisika m'mbuyomu, zikuwonekeratu kuti apitiliza kuyesa kwawo ndi gulu lachitukuko cha kernel.
Chosangalatsa ndichakuti, m'mbuyomu, mtsogoleri wa gulu lomwe likuchita zoyesererazo adachita nawo zoyeserera zovomerezeka, mwachitsanzo, kuzindikira kutayikira kwa chidziwitso mu USB stack (CVE-2016-4482) ndi netiweki subsystem (CVE-2016-4485) . Pakafukufuku wokhudza kufalikira kwachiwopsezo, gulu lochokera ku University of Minnesota limapereka chitsanzo cha CVE-2019-12819, chiwopsezo chobwera chifukwa cha kernel patch yomwe idatulutsidwa mu 2014. Kukonzekeraku kunawonjezera kuyimba kwa put_device ku chipika chowongolera zolakwika mu mdio_bus, koma patatha zaka zisanu zidawoneka kuti kusokonekera koteroko kumabweretsa mwayi wofikira pachikumbutso atamasulidwa ("use-after-free").
Panthawi imodzimodziyo, olemba phunziroli amanena kuti mu ntchito yawo adafotokozera mwachidule deta pazigamba za 138 zomwe zinayambitsa zolakwika ndipo sizinali zogwirizana ndi omwe adachita nawo phunzirolo. Kuyesa kutumiza zigamba zawo ndi zolakwika zinali zochepa pamakalata a imelo, ndipo zosintha zotere sizinalowe mu Git (ngati, atatumiza chigambacho ndi imelo, wosamalirayo adawona kuti chigambacho ndi chabwinobwino, ndiye adafunsidwa kuti asaphatikizepo kusinthaku kuyambira pamenepo. chidali cholakwa, kenako adatumiza chigamba cholondola).
Zowonjezera 1: Potengera zomwe wolemba wa chigambacho adatsutsidwa, wakhala akutumiza zigamba kumagulu osiyanasiyana a kernel kwa nthawi yayitali. Mwachitsanzo, madalaivala a radeon ndi nouveau atengera zosintha posachedwa ndikuyimbira pm_runtime_put_autosuspend(dev->dev) mu chipika cholakwika, mwina kupangitsa kuti buffer igwiritsidwe ntchito atamasula kukumbukira komwe kumalumikizidwa nayo.
Zowonjezera 2: Greg wabweza mabizinesi 190 okhudzana ndi "@umn.edu" ndikuyambitsanso kuwunikiranso. Vuto ndilakuti mamembala omwe ali ndi ma adilesi a "@umn.edu" sanangoyesa kukankhira zigamba zokayikitsa, komanso kuyika ziwopsezo zenizeni, ndipo kubweza kusintha kungabweretsenso zovuta zachitetezo zomwe zidali kale. Oyang'anira ena adayang'ananso zosintha zomwe zidasinthidwa ndipo adapeza kuti palibe vuto, koma m'modzi mwa oyang'anira adawonetsa kuti imodzi mwa zigamba zomwe zidatumizidwa kwa iye zinali ndi zolakwika.
Source: opennet.ru