Ofufuza zachitetezo kuchokera ku Google apeza chiwopsezo (CVE-2025-38236) mu Linux kernel yomwe imalola kukwera kwa mwayi. Mwa zina, chiwopsezochi chimalola kudumpha njira yodzipatula ya sandbox yomwe imagwiritsidwa ntchito mu Google Chrome ndikukwaniritsa ma code kernel-level code potsatira njira yakutali yoperekera Chrome (mwachitsanzo, mukamagwiritsa ntchito chiwopsezo china mu Chrome). Nkhaniyi ikuwoneka kuyambira pa Linux kernel 6.9 ndipo idakhazikitsidwa mu Linux kernel zosintha 6.1.143, 6.6.96, 6.12.36, ndi 6.15.5. A prototype wa ntchito likupezeka download.
Kusatetezekaku kudabwera chifukwa cha vuto lokhazikitsa mbendera ya MSG_OOB, yomwe imatha kukhazikitsidwa m'mabokosi a AF_UNIX. Mbendera ya MSG_OOB ("out-of-band") imalola ma byte owonjezera kuti amangiridwe ku data yomwe ikutumizidwa, yomwe wolandirayo amatha kuwerenga zonse zisanalandidwe. Mbendera iyi idawonjezedwa mu Linux 5.15 kernel popempha Oracle ndipo idafunsidwa kuti ichotsedwe chaka chatha chifukwa sichinagwiritsidwe ntchito kwambiri.
Kukhazikitsa kwa sandbox kwa Chrome kumapangitsa kuti UNIX igwire ntchito ndi kutumiza ()/recv() kuyimba komwe mbendera ya MSG_OOB idaloledwa pamodzi ndi zosankha zina ndipo sizinasefedwe padera. Vuto mu kukhazikitsa kwa MSG_OOB kunalola kuti kugwiritsidwa ntchito pambuyo paulere kuchitike mutayimba ma foni amndandanda: char dummy; masokosi [2]; socketpair(AF_UNIX, SOCK_STREAM, 0, masokosi); kutumiza(masokisi[1], "A", 1, MSG_OOB); recv(masokisi[0], &dummy, 1, MSG_OOB); kutumiza(masokisi[1], "A", 1, MSG_OOB); recv(masokisi[0], &dummy, 1, MSG_OOB); kutumiza(masokisi[1], "A", 1, MSG_OOB); recv(masokisi[0], &dummy, 1, 0); recv(masokisi[0], &dummy, 1, MSG_OOB);
Source: opennet.ru
