Linux Dirty Pipe its too Dirty

A vulnerability in the Linux kernel, dubbed Dirty Pipe, allows an unprivileged user to overwrite data in read-only files. This can lead to privilege escalation as a result of unprivileged processes being able to inject code into root processes.

The affected Linux kernel versions are 5.8 and above. The fixed versions are 5.16.11, 5.15.25 and 5.10.102.

Advertisements

Dirty Pipe is the nickname for the vulnerability listed as CVE-2022-0847. It is described as a flaw in the way the “flags” member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.

Pipes are used to pass information from one program to another by storing the output of the first program and then passing it to the second. For example, if you want to pass information from the list command ls to the paging program less, you’d join them with a pipe. On the command line, it looks like ls | less.

The Dirty Pipe vulnerability can be abused by creating a pipe which the attacker has permission to change and then confusing the Linux kernel into thinking that the pipe is a file the attacker doesn’t have permission to change.

The confusion in the Linux kernel is created by making use of the caching pages. Caching pages are temporary copies of files in a system’s memory that are created to make the handling of frequently used files faster. The vulnerability allows the attacker to make changes to the cached copy of a file that should be “read-only” for a user without root permissions.