Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
5

CVE-2022-0847

Disclosure Date: March 10, 2022
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A flaw was found in the way the “flags” member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • fedoraproject,
  • linux,
  • netapp,
  • ovirt,
  • redhat,
  • siemens,
  • sonicwall

Products

  • codeready linux builder -,
  • enterprise linux 8.0,
  • enterprise linux eus 8.2,
  • enterprise linux eus 8.4,
  • enterprise linux for ibm z systems 8.0,
  • enterprise linux for ibm z systems eus 8.2,
  • enterprise linux for ibm z systems eus 8.4,
  • enterprise linux for power little endian 8.0,
  • enterprise linux for power little endian eus 8.2,
  • enterprise linux for power little endian eus 8.4,
  • enterprise linux for real time 8,
  • enterprise linux for real time for nfv 8,
  • enterprise linux for real time for nfv tus 8.2,
  • enterprise linux for real time for nfv tus 8.4,
  • enterprise linux for real time tus 8.2,
  • enterprise linux for real time tus 8.4,
  • enterprise linux server aus 8.2,
  • enterprise linux server aus 8.4,
  • enterprise linux server for power little endian update services for sap solutions 8.1,
  • enterprise linux server for power little endian update services for sap solutions 8.2,
  • enterprise linux server for power little endian update services for sap solutions 8.4,
  • enterprise linux server tus 8.2,
  • enterprise linux server tus 8.4,
  • enterprise linux server update services for sap solutions 8.1,
  • enterprise linux server update services for sap solutions 8.2,
  • enterprise linux server update services for sap solutions 8.4,
  • fedora 35,
  • h300e firmware -,
  • h300s firmware -,
  • h410c firmware -,
  • h410s firmware -,
  • h500e firmware -,
  • h500s firmware -,
  • h700e firmware -,
  • h700s firmware -,
  • linux kernel,
  • ovirt-engine 4.4.10.2,
  • scalance lpe9403 firmware,
  • sma1000 firmware,
  • virtualization host 4.0

Exploited in the Wild

Reported by:
Technical Analysis

Description

On March 7, 2022, CM4all security researcher Max Kellermann published technical details on CVE-2022-0847, an arbitrary file overwrite vulnerability in versions 5.8+ of the Linux kernel. Nicknamed “Dirty Pipe,” the vulnerability arises from incorrect Unix pipe handling, where unprivileged processes can corrupt read-only files. Successful exploitation allows local attackers to escalate privileges by modifying or overwriting typically inaccessible files — potentially including root passwords and SUID binaries. Security researchers have also demonstrated that in some cases, public exploit code can be used to escape containers in that files modified inside the container also get modified on the host

Public exploit code is available as of March 7, 2022. Linux distributions have been notified and as of March 9, patches are still trickling out.

Affected products

Linux kernel versions since 5.8

Technical analysis

PoC

In this example test is a basic text file containing the contents Hello, world!. The permissions are changed to readable only, and the owner is set to root.

msf@dirtypipe:~$ ls -al test
-r--r--r-- 1 root root 14 Mar  9 11:52 test
msf@dirtypipe:~$ cat test
Hello, world!

The original PoC takes three arguments: the target file to overwrite, the offset within the file to start writing at, and the data to write to the target file. Because some data from the target file has to be spliced first, the offset cannot start at 0, and the amount of data that is written cannot exceed a page boundary (4096 bytes). The attacker must have read permissions on the target file.

msf@dirtypipe:~$ uname -a
Linux dirtypipe 5.11.0-49-generic #55-Ubuntu SMP Wed Jan 12 17:36:34 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
msf@dirtypipe:~$ ./poc test 1 "ello, root!"
It worked!
msf@dirtypipe:~$ cat test
Hello, root!!

While this shows a seemingly innocuous file write, a similar approach can be used to escalate privileges to root.

Another PoC demonstrates that the vulnerability can be used to overwrite an SUID binary to elevate privileges.

Patch

The patch appears to simply initialize the struct pipe_buffer flags, which removes the ability to arbitrarily set the PIPE_BUF_FLAG_CAN_MERGE flag.

[diff](https://lore.kernel.org/lkml/20220221100313.1504449-1-max.kellermann@ionos.com/#iZ31lib:iov_iter.c) --git a/lib/iov_iter.c b/lib/iov_iter.c
index b0e0acdf96c1..6dd5330f7a99 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c @@ -414,6 +414,7 @@ static size_t copy_page_to_iter_pipe(struct page *page, size_t offset, size_t by
 		return 0;
 
 	buf->ops = &page_cache_pipe_buf_ops;
+	buf->flags = 0;
 	get_page(page);
 	buf->page = page;
 	buf->offset = offset;
@@ -577,6 +578,7 @@ static size_t push_pipe(struct iov_iter *i, size_t size,
 			break;
 
 		buf->ops = &default_pipe_buf_ops;
+		buf->flags = 0;
 		buf->page = page;
 		buf->offset = 0;
 		buf->len = min_t(ssize_t, left, PAGE_SIZE);
--

IOCs

While exploitation is mostly memory-based, variants of the PoC overwrite ubiquitous SUID binaries on Linux, which means it’s possible that an attacker may leave behind corrupted system files or binaries.

Mitigation guidance

Patch and reboot systems as updates become available.