killchain-compendium/exploit/linux/dirty_pipe/dirty_pipe.md

CVE-2022-0847

• Max Kellerman's post

• 5.8 < Vulnerable kernels < 5.10.102

• If a file can be read, it can be written also.

Usage

• splice(2) moves data between files and through pipes without copying between kernel and user adress space
• Anonymous pipes permissions are not checked
  • Read only permissions on pages do not matter on a pipe level
• Splice is putting data into the pipe and malicious data afterwards in the same one to overwrite the mem page
• PIPE_BUF_FLAG_CAN_MERGE flag has to be activated in order to write back to a file
• Works as long as there is an offset to start of a page in the beginning of the writing