16 lines
681 B
Markdown
16 lines
681 B
Markdown
# CVE-2022-0847
|
|
|
|
* [Max Kellerman's post](https://dirtypipe.cm4all.com/)
|
|
|
|
* 5.8 < Vulnerable kernels < 5.10.102
|
|
* If a file can be read, it can be written also.
|
|
|
|
## Usage
|
|
|
|
* `splice(2)` moves data between files and through pipes without copying between kernel and user adress space
|
|
* Anonymous pipes permissions are not checked
|
|
* Read only permissions on pages do not matter on a pipe level
|
|
* Splice is putting data into the pipe and malicious data afterwards in the same one to overwrite the mem page
|
|
* `PIPE_BUF_FLAG_CAN_MERGE` flag has to be activated in order to write back to a file
|
|
* Works as long as there is an offset to start of a page in the beginning of the writing
|