Ukuba sengozini (CVE-2021-39685) kukhonjwe kuGajethi ye-USB, isistimu engaphansi ye-Linux kernel enikeza isixhumi esibonakalayo sokwakha amadivayisi weklayenti le-USB kanye nokulingiswa kwesofthiwe yamadivayisi e-USB, okungaholela ekuvuzeni kwe-kernel, ukuphahlazeka, noma ukukhishwa kwekhodi okungahleliwe kuma-kernel. Ukuhlasela kwenziwa umsebenzisi wasendaweni ongenalungelo ngokukhohlisa amakilasi edivayisi ahlukahlukene asetshenziswa ngesisekelo se-USB Gadget API, njenge-rndis, hid, uac1, uac1_legacy ne-uac2.
Inkinga ilungisiwe kuzibuyekezo ze-Linux kernel 5.15.8, 5.10.85, 5.4.165, 4.19.221, 4.14.258, 4.9.293, kanye ne-4.4.295 eshicilelwe kamuva nje. Ekusabalaliseni, inkinga isalokhu ingalungisiwe (Debian, Ubuntu, RHEL, SUSE, Fedora, Arch). I-prototype yokuxhaphaza isilungiselelwe ukukhombisa ukuba sengozini.
Inkinga ibangelwa ukuchichima kwebhafa kuzibambi zesicelo sokudlulisa idatha ku-rndis, hid, uac1, uac1_legacy, kanye nezishayeli zegajethi ze-uac2. Njengomphumela wokuxhaphaza ubungozi, umhlaseli ongenalo ilungelo angathola ukufinyelela kumemori ye-kernel ngokuthumela isicelo esikhethekile sokulawula esinenani lenkambu ye-wLength edlula usayizi webhafa emile, lapho 4096 byte inikezwa njalo (USB_COMP_EP0_BUFSIZ). Ngesikhathi sokuhlasela, inqubo yendawo yomsebenzisi engavikelekile ingafunda noma ibhale idatha engafika ku-65 KB kumemori ye-kernel.
Source: opennet.ru