CVE-2022-0847-DirtyPipe-Exploit

Posted rtoax

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了CVE-2022-0847-DirtyPipe-Exploit相关的知识,希望对你有一定的参考价值。

CVE-2022-0847-DirtyPipe-Exploit

荣涛
2022-03-10

文档修改日志

日期修改内容修改人备注
2022-03-10创建荣涛

引言

CVE-2022-0847-DirtyPipe-Exploit普通用户修改root密码的漏洞现状,

影响版本

5.8 <= Linux 内核版本 < 5.16.11 / 5.15.25 / 5.10.102

CentOS-Stream9

x86_64aarch64kernelchangelog 中均找不到 CVE-2022-0847 的解决日志。

x86_64

  • 5.14.0-39.el9.x86_64 存在漏洞(能复现)
  • 5.14.0-70.el9.x86_64 存在漏洞(能复现)

AArch64

  • 5.14.0-70.el9.aarch64 不存在漏洞(不能复现,鲲鹏服务器虚拟机测试)

CCLinux 2203

x86_64

  • 5.15.13-0.el9.x86_64 存在漏洞(能复现)

AArch64

  • 5.15.13-0.el9.aarch64 不存在漏洞(不能复现,双子芯74服务器虚拟机测试)

分析

复现该漏洞代码关键的系统调用总结为:

int pipefd[2];
pipe(pipefd);
fd = open("/etc/passwd", readonly);
splice(fd, &offset, pipefd[1], NULL, 1, 0);
write(pipefd[1], data, data_size);

通过分析源代码,代码版本为 5.10.13(存在漏洞的版本)

首先看系统调用splice(2),在复现漏洞中是这么用的,给出代码概要

splice(infd, outfd, len)
    __do_splice(infd, outfd, len)
        do_splice(infd, outfd, len)
            splice_pipe_to_pipe     - 如果 infd 和 outfd 都是管道 (略)
            do_splice_from          - 如果 infd 是管道, outfd 不知管道 (略)
            do_splice_to            - 如果 infd 不是管道, outfd 是管道 (CVE-2022-0847复现测试例)
                in->f_op->splice_read(..., len, ...)    - 对应函数 generic_file_splice_read()
                generic_file_splice_read(len)
                    call_read_iter()    - 对应 file->f_op->read_iter() 不同的文件系统不同
                                            ext4_file_operations.ext4_file_read_iter()
                                            xfs_file_operations.xfs_file_read_iter()
                    xfs_file_read_iter() 如果为xfs文件系统
                        xfs_file_dax_read()         - dax (略)
                        xfs_file_dio_aio_read()     - aio (略)
                        xfs_file_buffered_aio_read()- 其他 有个追踪点可以用 "trace_xfs_file_buffered_read"
                            generic_file_read_iter()    - filemap.c 文件中定义
                                generic_file_buffered_read()    - 这将读取一整页 page buffer (关注点)

内核调用栈:

generic_file_read_iter+1
xfs_file_buffered_read+80
xfs_file_read_iter+110
generic_file_splice_read+255
splice_file_to_pipe+179
do_splice+692
__do_splice+222
__x64_sys_splice+148
do_syscall_64+59
entry_SYSCALL_64_after_hwframe+68

pagecache_get_page+1
filemap_fault+103
__xfs_filemap_fault+102
__do_fault+54
do_fault+704
__handle_mm_fault+971
handle_mm_fault+197
do_user_addr_fault+443
exc_page_fault+98
asm_exc_page_fault+30


再看对应的write(2)

write(fd, data, data_len)
    ksys_write(fd, buf, count)
        vfs_write()
            file->f_op->write() - 如果不为空,首选执行,xfs 为空 (略)
            new_sync_write      - 如果 file->f_op->write_iter 不为空
                                    xfs 对应 xfs_file_write_iter()
                call_write_iter()   - 对应 file->f_op->write_iter()
                                        ext4_file_operations.ext4_file_write_iter()
                                        xfs_file_operations.xfs_file_write_iter()
                xfs_file_write_iter()
                    xfs_file_dax_write()            - dax (略)
                    xfs_file_dio_aio_write()        - aio (略)
                    xfs_file_buffered_aio_write()   - 追踪点'trace_xfs_file_buffered_write'
                        iomap_file_buffered_write()
                            iomap_apply()
                                iomap_write_actor()
                                    iov_iter_copy_from_user_atomic()
                                    iomap_write_end()

调用栈

iomap_write_end+1
iomap_write_actor+238
iomap_apply+269
iomap_file_buffered_write+92
xfs_file_buffered_write+161
new_sync_write+287
vfs_write+475
ksys_write+95
do_syscall_64+59
entry_SYSCALL_64_after_hwframe+68

add_to_page_cache_lru+1
pagecache_get_page+518
grab_cache_page_write_begin+29
iomap_write_begin+409
iomap_write_actor+156
iomap_apply+269
iomap_file_buffered_write+92
xfs_file_buffered_write+161
new_sync_write+287
vfs_write+475
ksys_write+95
do_syscall_64+59
entry_SYSCALL_64_after_hwframe+68


__page_cache_alloc+1
pagecache_get_page+456
grab_cache_page_write_begin+29
iomap_write_begin+409
iomap_write_actor+156
iomap_apply+269
iomap_file_buffered_write+92
xfs_file_buffered_write+161
new_sync_write+287
vfs_write+475
ksys_write+95
do_syscall_64+59
entry_SYSCALL_64_after_hwframe+68

参考链接


Copyright (C) CESTC Com.

以上是关于CVE-2022-0847-DirtyPipe-Exploit的主要内容,如果未能解决你的问题,请参考以下文章