| Name | linux_pipe_buffer |
| CVE | CVE-2022-0847 |
| Exploit Pack | CANVAS |
| Description | linux_pipe_buffer |
| Notes | CVE Name: CVE-2022-0847 VENDOR: Linux NOTES: A flaw was found in the way the flags member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system. Essentially this primitive allows unprivileged users to write to overwrite arbitrary files on the system, regardless of permissions. The main limitations being: - The offset into the file in which an attacker overwrites cannot be on a page boundary (typically 4k) - The write cannot cross a page boundary, i.e we are limited to ~4k writes, which is plenty to hijack an SUID binary with an arbitrary payload! The vulnerable path was introduced in 5.8 (f6dd975583bd (pipe: merge anon_pipe_buf*_ops).), and patched in stable branches 5.16.11, 5.15.25 and 5.10.102. The exploit was tested on: - Ubuntu 21.04 x86_64 (5.13.0-25) Currently supports: Linux kernel 5.8-5.16 on x86_64 VersionsAffected: Introduced in 5.8 and patched in stable branches 5.16.11, 5.15.25 and 5.10.102. Repeatability: Infinite References: - https://dirtypipe.cm4all.com CVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847 Date public: 07/03/2022 CVSS: N/A |
| Learn more about the CANVAS Exploit Pack here: CANVAS |