Greg Kroah-Hartman, ane basa rekuchengetedza bazi rakagadzikana reLinux kernel, akasarudza kurambidza kutambirwa kwechero shanduko dzinobva kuYunivhesiti yeMinnesota kuenda kuLinux kernel, uye zvakare kudzosera kumashure ese aimbogamuchirwa zvigamba uye adzokorore zvakare. Chikonzero chekuvharira kwaive zviitiko zveboka rekutsvagisa richidzidza mukana wekusimudzira kusadzivirirwa kwakavanzika mukodhi yemapurojekiti akavhurika. Boka iri rakaendesa zvigamba zvine marudzi akasiyana etsikidzi, rakaona zvaiitwa nenharaunda, uye rakadzidza nzira dzekubiridzira ongororo yekuchinja. Sekureva kwaGreg, kuita zviedzo zvakadaro kuunza shanduko ine hutsinye hazvitenderwe uye hazvina kunaka.
Chikonzero chekuvharisa ndechekuti nhengo dzeboka iri dzakatumira chigamba chakawedzera cheki yekunongedza kubvisa iyo inogona kufona kaviri ye "yemahara" basa. Zvichipa mamiriro ekushandiswa kwechinongedzo, cheki yaive isina maturo. Chinangwa chekuendesa chigamba chaive chekuona kana shanduko isiriyo yaizopasa kuongororwa nevagadziri vekernel. Pamusoro pechigamba ichi, kumwe kuedza kwevagadziri kubva kuYunivhesiti yeMinnesota kwakaonekwa kuita shanduko isina chokwadi kune kernel, kusanganisira izvo zvine chekuita nekuwedzera kwekusagadzikana kwakavanzika.
Mutori wechikamu uyo ββakatumira zvigamba akaedza kuzviruramisa nekutaura kuti akanga achiedza static analyzer itsva uye kuchinja kwakagadzirirwa zvichienderana nemigumisiro yekuedzwa mairi. Asi Greg akakwevera pfungwa kunyaya yekuti zvigadziriso zvakarongwa hazvina kujairika kune zvikanganiso zvakaonekwa nevanoongorora static, uye zvese zvakatumirwa zvigamba hazvigadzirise chero chinhu. Tichifunga kuti boka rekutsvagisa riri mubvunzo rakaedza kusundira zvigamba zvekusagadzikana kwakavanzika munguva yakapfuura, zviri pachena kuti vakaenderera mberi nekuedza kwavo nenharaunda yekuvandudza kernel.
Sezvineiwo, munguva yakapfuura, mutungamiriri weboka raiitisa zviedzo aibatanidzwa mukubata zviri pamutemo kwekusagadzikana, semuenzaniso, kuona kubuda kweruzivo mu USB stack (CVE-2016-4482) uye network subsystem (CVE-2016-4485) . Muchidzidzo chekupararira kwekusagadzikana, timu kubva kuYunivhesiti yeMinnesota inotora muenzaniso weCVE-2019-12819, kusagadzikana kwakakonzerwa nekernel patch yakaburitswa muna 2014. Iyo gadziriso yakawedzera runhare kuti put_device kune kukanganisa kubata block mumdio_bus, asi makore mashanu gare gare zvakazobuda kuti manomano akadaro anotungamira mukuwana iyo memory block mushure mekusunungurwa ("use-after-free").
Panguva imwecheteyo, vanyori vekudzidza vanoti mubasa ravo vakapfupisa data pazvigamba zve138 zvakaunza kukanganisa uye hazvina hukama nevatori vechikamu. Kuedza kutumira zvigamba zvavo nezvikanganiso zvakaganhurirwa kutsamba yeemail, uye shanduko dzakadaro hadzina kupinda muGit (kana, mushure mekutumira chigamba neemail, muchengeti akafunga chigamba chakajairwa, akabva akumbirwa kuti asasanganise shanduko kubva ipapo. chaive chikanganiso, mushure mezvo vakatumira chigamba chaicho).
Kuwedzera 1: Tichitarisa nebasa remunyori weakashoropodzwa chigamba, anga achitumira zvigamba kune akasiyana kernel subsystems kwenguva yakareba. Semuyenzaniso, madhiraivha eradeon neanoveau achangobva kutambira shanduko nerunhare kupm_runtime_put_autosuspend(dev->dev) mubhuroka yekukanganisa, pamwe ichikonzera kuti buffer ishandiswe mushure mekusunungura ndangariro dzine chekuita nayo.
Addendum 2: Greg akadzosera kumashure 190 akabatana ne "@umn.edu" uye akatanga kudzokororazve pamusoro pazvo. Dambudziko nderekuti nhengo dzine "@umn.edu" kero hadzina kungoyedza nekusundidzira zvigamba zvisina mubvunzo, asi zvakare dzakabata kusadzivirirwa chaiko, uye kudzoreredza shanduko kunogona kuita kuti nyaya dzekuchengetedza dzakambovharwa dzidzoke. Vamwe vachengeti vakatoongorora zvakare shanduko dzakadzoserwa uye havana kuwana matambudziko, asi mumwe wevagadziri akaratidza kuti chimwe chezvigamba zvakatumirwa kwaari chaive nezvikanganiso.
Source: opennet.ru