Recently the news broke that a vulnerability was identified in the Linux kernel and which is already cataloged under CVE-2022-0847 and which they have named as "Dirty Pipe".
This vulnerability dubbed "Dirty Pipe"allows to overwrite the contents of the cache of the page for any file, including those set to read-only, opened with the O_RDONLY flag, or located on file systems mounted read-only.
On the practical side, the vulnerability could be used to inject code into arbitrary processes or corrupt data in open files. For example, you can change the content of the authorized_keys file for the sshd process.
About Dirty Pipe
It is similar to the critical vulnerability Dirty COW identified in 2016 and Dirty Pipe is mentioned to be on the same level as Dirty COW in terms of danger, but that this one is much easier to operate.
Dirty Pipe was identified during the analysis of complaints about periodic damage to archives downloaded over the network on a system that downloads compressed files from a logging server (37 damages in 3 months on a loaded system), which were prepared using the splice() operation and unnamed pipes.
Vulnerability has been manifesting since Linux kernel version 5.8, released in August 2020.
Seen another way we can say that it is present in Debian 11 but it does not affect the base kernel in Ubuntu 20.04 LTS, while for RHEL 8.x and openSUSE/SUSE 15 kernels that are originally based on old branches, but it is possible that the change that causes the problem has been transferred to them (there is no exact data yet).
The vulnerability is due to the lack of initialization of the value "buf->flags" in the code of the functions copy_page_to_iter_pipe() and push_pipe(), despite the memory not being cleared when the structure is allocated, and with certain manipulations with unnamed pipes, "buf->flags" may contain a value from another operation. With this feature, an unprivileged local user can achieve the appearance of the PIPE_BUF_FLAG_CAN_MERGE value in the flag, allowing them to overwrite data in the page cache simply by writing new data to a specially prepared unnamed pipe.
for an attack can be done, you need a target file that must be readable and since access rights are not checked when writing to a pipe, a replacement can be performed on the page cache, even for files located on read-only partitions (for example, for c CD-ROM files).
With this, after replacing the information in the page cache, the process, when reading the data from the file, will not receive the real data, but the replaced ones.
It is mentioned that the Dirty Pipe operation boils down to creating an unnamed pipe and filling it with arbitrary data to achieve setting the PIPE_BUF_FLAG_CAN_MERGE flag on all ring structures associated with it.
The data is then read from the pipe, but the flag remains set on all instances of the pipe_buffer structure in the pipe_inode_info ring structures. A call to splice() is then made to read the data from the destination file into an unnamed pipe, starting at the required offset. When writing data to this unnamed pipe, the PIPE_BUF_FLAG_CAN_MERGE flag will overwrite the data in the page cache instead of creating a new instance of the pipe_buffer structure.
Finally If you are interested in knowing more about it, you can check the details in the original note In the following link.
Also, if you are interested in be able to follow or know about the publication of updates of packages in the main distributions, you can do it from these pages: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, ArchLinux.
It is mentioned that the proposed vulnerability fix is available in Linux Kernel versions 5.16.11, 5.15.25 and 5.10.102 and the fix is also included in the kernel used on the Android platform.