Once all the pages have been marked, it allows the kernel to free them by reading all the data from the pipe that it had written.Writes any type of information into the pipe to fill it completely and have the memory pages flagged with the PIPE_BUF_FLAG_CAN_MERGE flag.This function gives the same process access to the descriptors that allow writing and reading. It creates a pipe with the pipe() system call.It starts by opening a file in read mode, which can later be written to, even if the program does not have write permissions.The discoverer of the bug, Max Kellermann, also developed an exploit for this problem which is available on his website about Dirty Pipe vulnerability. Dirty Pipe vulnerability CVE-2022-0847 exploit Since the kernel always has the cached pages under its control, it does not check its permissions when using a page. At that time, the available flags were not very interesting, so it did not pose a risk.īut since this new flag was defined, the lack of initialization did result in a problem. At that time, functions were defined to reserve the memory of the pipes, but without initializing the variable where the flags are stored. Its function is to indicate that the data in a pipe of a page can be merged without the need to rewrite the data in memory. It is in one of these flags, PIPE_BUF_FLAG_CAN_MERGE, where the problem arises. Pipe flags specify characteristics such as status and permissions. When the information shared between processes does not occupy an entire memory page, it can be reused for another pipe, resulting in data from different pipes coexisting in the same memory page. They are the same as those used for concatenating commands in the terminal, using the “|” character. Typically, a pipe spans multiple memory pages. For inter-process communications, shared memory pages are often used, where one process reads and another writes. Cached pages. These are memory pages that have been recently accessed and are stored in an intermediate faster memory in order to speed up subsequent accesses.Memory pages. Smallest data unit for memory management in a virtual memory based operating system.Many systems, including the latest versions of Android and some distributions such as Ubuntu, Debian or Fedora are affected.īefore explaining the details of the vulnerability, it is useful to review some theoretical concepts of operating systems and Linux in particular: This vulnerability initially affects the Linux kernel from version 5.8 onwards and allows privilege escalation by writing to read-only locked files. Since March 7, the bug with code CVE-2022-0847, also named Dirty Pipe, has been publicly disclosed. References about Dirty Pipe vulnerability CVE-2022-0847.Dirty Pipe vulnerability CVE-2022-0847 exploit.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |