killchain-compendium/exploit/linux/dirty_pipe/dirty_pipe.md

681 B

CVE-2022-0847

  • Max Kellerman's post

  • 5.8 < Vulnerable kernels < 5.10.102

  • If a file can be read, it can be written also.

Usage

  • splice(2) moves data between files and through pipes without copying between kernel and user adress space
  • Anonymous pipes permissions are not checked
    • Read only permissions on pages do not matter on a pipe level
  • Splice is putting data into the pipe and malicious data afterwards in the same one to overwrite the mem page
  • PIPE_BUF_FLAG_CAN_MERGE flag has to be activated in order to write back to a file
  • Works as long as there is an offset to start of a page in the beginning of the writing