“Dirty Pipe” Linux kernel bug lets anyone write to any file


Max Kellermann, a coder and security researcher for German content management software creators CM4all, has just published a fascinating report about a Linux kernel bug that was patched recently.

He called the vulnerability Dirty Pipebecause it involves insecure interaction between a true Linux file (one that’s saved permanently on disk) and a Linux pipewhich is a memory-only data buffer that can be used like a file.

Very greatly simplified, if you have a pipe that you are allowed to write to and a file that you aren’t

… Then, sometimes, writing into the pipe’s memory buffer may inadvertently also modify the kernel’s temporary in-memory copies – the so-called cache pages – of various parts of the disk file.

Annoyingly, even if the file is flagged as “read only” by the operating system itself, modifying its underlying kernel cache is treated as a “write”.

As a result, the modified cache buffer is flushed back to disk by the kernel, permanently updating the contents of the stored file, despite any operating system permissions applied to it.

Even a physically unwritable file, such as one on a CD-ROM or an SD card with the write-enable switch turned off, will appear to have been modified for as long as the corrupted cache buffers are kept in memory by the kernel.

Which versions are affected?

For those running Linux who want to cut to the chase and check if they’re patched, Kellermann reports that this bug was introduced (at least in its current, easily exploitable form) in kernel 5.8.

That means three officially supported kernel flavors are definitely at risk: 5.10, 5.15 and 5.16.

The bug was patched in 5.10,102, 5.15.25 and 5.16.11so if you have a version that is at or above one of those, you’re OK.

Apparently, Android is affected too, and although a fix for the vulnerability was incorporated into the kernel source code on 2022-02-24, neither Google’s Android Security Bulletin for March 2022nor the company’s Pixel-specific notesmention this bug, now dubbed CVE-2022-0847.

Of all the numerous officially supported Android handsets we’ve surveyed so far, the only ones we heard of that use kernel 5.10 are the Google Pixel 6 and the Samsung S22 series (reports suggest both of these are still on 5.10.43 [2022-03-09T12:00Z]).

Most devices seem still to be using one of the older-but-apparently-not-vulnerable Linux 5.4 or 4.x versions.