RHSB-2022-002 Dirty Pipe - kernel arbitrary file manipulation - (CVE-2022-0847)

Executive summary

Red Hat is aware of a vulnerability affecting the Linux kernel that allows an attacker to modify the contents of a file (either in memory or on disk) even when on read-only access mode.

This vulnerability is assigned CVE-2022-0847 and is also known as the Dirty Pipe vulnerability. This issue was publicly disclosed on March 7, 2022, and rated with a severity impact of Important.

Note that for Red Hat Enterprise Linux 8 (RHEL), the currently known exploits do not work. However, the underlying flaw is still present and other novel ways leading to successful exploitation cannot be fully ruled out.

The following Red Hat products are affected:

• Red Hat Enterprise Linux 8
  

• Red Hat Enterprise Virtualization 4
  

Further, any Red Hat product based on Red Hat Enterprise Linux 8 (including RHEL CoreOS) are also affected but not vulnerable as well. This includes products that pull packages from the RHEL channel, such as Red Hat OpenShift Container Platform 3, Red Hat OpenStack Platform and others. Please ensure that the underlying RHEL kernel package is current in these product environments.

To determine if your system is affected by this flaw, see the Diagnose section below.

Technical summary

A flaw was found in the way the "flags" member of the new pipe buffer structure lacked proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read-only files and, as such, escalate their privileges on the system.

This was demonstrated by creating new pipe buffers with the PIPE_BUF_FLAG_CAN_MERGE flag incorrectly set due to the lack of proper initialization. This flag controls coalescing of writes into a pipe buffer and thus allows for writing to an existing page spliced into the pipe. If a file backs this spliced page, the change will be reflected to the shared system-wide view of the file in memory and any subsequent cache flush will write the manipulated data to disk ignoring existing Linux permissions settings.

This would allow for an unprivileged user to overwrite specific contents of a file (either in memory or on disk) even when only allowed read-only access by existing access controls such as SELinux, standard Linux permissions, advanced access control, immutable files and devices being mounted ‘read only’.

Note that the PIPE_BUF_FLAG_CAN_MERGE flag attack vector is not available in Red Hat Enterprise Linux 8, thus the currently known exploits leveraging this flag do not work.

Refer to CVE-2022-0847 for more details.

Mitigation

Currently, there is no mitigation available for this flaw. SELinux does not mitigate this flaw. Kpatch is unable to mitigate this flaw. Customers should update to fixed packages once they are available.

Updates for affected products

Red Hat customers running affected versions of these Red Hat products are strongly recommended to update as soon as errata are available. Customers are urged to apply the available updates immediately and enable the mitigations as they deem appropriate.

[1] Advisory/Update link will be added once updates are live.

[2] What is the Red Hat Enterprise Linux Extended Update Support (EUS) Subscription?

[3] What is the Red Hat Enterprise Linux SAP Solutions subscription?

Diagnose

A vulnerability detection script has been developed to determine if your system is currently affected by this flaw. To verify the authenticity of the script, you can download the detached OpenPGP signature as well. Instructions on how to use GPG signatures for verification are available on the Customer Portal.

FAQ

Q: How can this flaw modify read-only content?
A: When a file is accessed, it gets loaded in the “cached” region of the memory (the page cache), and the attacker would be able to change the file content in the cached memory. So subsequent reads of the file will return the corrupted content.

Q: Can this flaw corrupt the content of actual files on disk?
A: It can. If a given content is in the “Dirty Page” memory region pending a write to the disk, this content would be prone to interception and modification - then the committed data to the disk would be the intercepted content.

Q: Is it mitigated by SELinux?
A: No, SELinux does not mitigate this vulnerability.

Q: Are Openstack, Ceph, Satellite, etc. vulnerable?
A: The product is not directly affected - the kernel is the affected component, and the affectedness of the system follows the RHEL version that the product is installed on.

Q: Will Red Hat release a kpatch?
A: The kpatch technology is unable to mitigate this vulnerability, thus there will be no kpatch released.

Q: Why is RHEL 8 affected, but is not vulnerable?
A: The currently know exploits depends on the functionality inserted by the upstream kernel commit f6dd97558 - which is not present in the RHEL8 kernel, hindering the exploitation.

Q: Is there any configuration / user configurable clause that can be modified and change the system affectedness/vulnerability?
A: No, there are no configuration clauses that can impact the system’s affectedness/vulnerability.

Q: Is there any special requirement to carry out the exploit?
A: The attacker must be a local user with execution privileges in the system.

Acknowledgments

Red Hat thanks Max Kellermann (CM4all) for reporting this vulnerability

References

https://www.openwall.com/lists/oss-security/2022/03/07/1

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/lib/iov_iter.c?id=9d2231c5d74e13b2a0546fee6737ee4446017903

https://dirtypipe.cm4all.com/

How to use GPG to verify signed content from Product Security