ukusuka kuGoogle ingxelo malunga nokuchongwa kwe-15 vulnerabilities elandelayo (CVE-2019-19523 - CVE-2019-19537) kubaqhubi be-USB abanikezelwa kwi-Linux kernel. Le yibhetshi yesithathu yeengxaki ezifunyenwe ngexesha lovavanyo lwe-fuzz lwesitaki se-USB kwiphakheji - umphandi onikwe ngaphambili malunga nobukho bobuthathaka obungama-29.
Ngeli xesha uluhlu lubandakanya kuphela ubuthathaka obubangelwa kukufikelela kwiindawo zememori esele zikhululwe (ukusetyenziswa-emva kokukhululeka) okanye ukukhokelela ekuvuzeni kwedatha kwimemori ye-kernel. Imiba enokuthi isetyenziswe ukwenza ukwaliwa kwenkonzo ayiqukwanga kwingxelo. Ubuthathaka bunokuthi busetyenziswe xa izixhobo ze-USB ezilungiselelwe ngokukodwa ziqhagamshelwe kwikhompyuter. Ukulungiswa kwazo zonke iingxaki ezikhankanywe kwingxelo sele zibandakanyiwe kwi-kernel, kodwa ezinye azifakwanga kwingxelo. usahleli ungalungiswanga.
Ukusetyenziswa okuyingozi kakhulu emva kobuthathaka obungakhokelela ekuqhutyweni kwekhowudi yomhlaseli kupheliswe kwi-adtux, ff-memless, ieee802154, pn533, hiddev, iowarrior, mcba_usb kunye nabaqhubi beyurex. I-CVE-2019-19532 iphinda idwelise ubuthathaka be-14 kubaqhubi be-HID okubangelwa iimpazamo ezivumela ukubhala ngaphandle kwemida. Iingxaki zifunyenwe kwi-ttusb_dec, pcan_usb_fd kunye ne-pcan_usb_pro abaqhubi abakhokelela ekuvuzeni kwedatha kwimemori ye-kernel. Umba (CVE-2019-19537) ngenxa yemeko yogqatso ichongiwe kwikhowudi ye-USB ye-stack yokusebenza kunye nezixhobo zabalinganiswa.
Unokuqaphela kwakhona
ubuthathaka obune (CVE-2019-14895, CVE-2019-14896, CVE-2019-14897, CVE-2019-14901) kumqhubi weMarvell chips ezingenazingcingo, ezinokukhokelela ekuphuphumeni kwebuffer. Uhlaselo lunokuthi luqhutywe kude ngokuthumela iifreyimu ngendlela ethile xa udibanisa kwindawo yokufikelela kwi-wireless yomhlaseli. Esona sisongelo esinokwenzeka kukukhanyelwa kwenkonzo ekude (ukuphazamiseka kwe-kernel), kodwa ukuba nokwenzeka kokuphunyezwa kwekhowudi kwisixokelelwano akunakukhutshelwa ngaphandle.
umthombo: opennet.ru