Kwi-USB Gadget, inkqubo engaphantsi kwekernel LinuxKukho ubuthathaka (CVE-2021-39685) obuchongiweyo kwi-USB Gadget API, ebonelela ngesoftware interface yokwenza izixhobo ze-USB zabathengi kunye nokulinganisa izixhobo ze-USB. Olu buthathaka lungakhokelela ekuvuthweni kolwazi lwe-kernel, ukuqhekeka, okanye ukuphunyezwa kwekhowudi ngokungacwangciswanga kwinqanaba le-kernel. Uhlaselo lwenziwa ngumsebenzisi wasekuhlaleni ongenamalungelo ngokulawula iindidi ezahlukeneyo zezixhobo ezisetyenziswa kusetyenziswa i-USB Gadget API, ezifana ne-rndis, hid, uac1, uac1_legacy, kunye ne-uac2.
Le ngxaki ilungisiwe kuhlaziyo lwekernel olupapashwe kutshanje. Linux 5.15.8, 5.10.85, 5.4.165, 4.19.221, 4.14.258, 4.9.293 kunye no-4.4.295. Ingxaki ayikalungiswa kulwabiwo (Debian, Ubuntu, RHEL, SUSE, Fedora, Arch). Kulungiselelwe inkqubo yokubonisa ukuba ubuthathaka bukhona.
Ingxaki ibangelwa kukuphuphuma kwebuffer kubaphathi besicelo sodluliselo lwedatha kwigajethi yabaqhubi rndis, hid, uac1, uac1_legacy kunye uac2. Njengomphumo wokuxhaphaza ubuthathaka, umhlaseli ongenanto unokufumana ukufikelela kwimemori ye-kernel ngokuthumela isicelo esikhethekileyo solawulo kunye nexabiso lentsimi ye-wLength edlula ubungakanani be-static buffer, apho i-4096 bytes zihlala zinikezelwa (USB_COMP_EP0_BUFSIZ). Ngexesha lohlaselo, inkqubo engafanelekanga kwindawo yomsebenzisi inokufunda okanye ibhale ukuya kwi-65 KB yedatha kwimemori ye-kernel.
umthombo: opennet.ru
