killchain-compendium/Exploits/Linux/DirtyPipe.md

# CVE-2022-0847

* [Max Kellerman's post](https://dirtypipe.cm4all.com/)

* 5.8 < Vulnerable kernels < 5.10.102
* If a file can be read, it can be written also.

## Usage

* `splice(2)` moves data between files and through pipes without copying between kernel and user adress space
* Anonymous pipes permissions are not checked
    * Read only permissions on pages do not matter on a pipe level
* Splice is putting data into the pipe and malicious data afterwards in the same one to overwrite the mem page
* `PIPE_BUF_FLAG_CAN_MERGE` flag has to be activated in order to write back to a file
* Works as long as there is an offset to start of a page in the beginning of the writing
restructured Exploits 2022-11-13 22:38:01 +01:00			`# CVE-2022-0847`

			`* [Max Kellerman's post](https://dirtypipe.cm4all.com/)`

			`* 5.8 < Vulnerable kernels < 5.10.102`
			`* If a file can be read, it can be written also.`

			`## Usage`

			* `splice(2)` moves data between files and through pipes without copying between kernel and user adress space
			`* Anonymous pipes permissions are not checked`
			`* Read only permissions on pages do not matter on a pipe level`
			`* Splice is putting data into the pipe and malicious data afterwards in the same one to overwrite the mem page`
			* `PIPE_BUF_FLAG_CAN_MERGE` flag has to be activated in order to write back to a file
			`* Works as long as there is an offset to start of a page in the beginning of the writing`