CVE-2022-0847 The "flags" member of the new pipe buffer is uninitialized in copy_page_to_iter_pipe and push_pipe, which could contain stale values.

CVE-2022-0847 The "flags" member of the new pipe buffer is uninitialized in copy_page_to_iter_pipe and push_pipe, which could contain stale values.

A more serious issue caused by the lack of initialization of the "flags" member was discovered by Daniel Mach of the Red Hat Security Engineering team. If an attacker had virtual file system access to an unprivileged local user's system, they could use this flaw to escalate their privileges on the system.

Thanks to the kernel's policy of in-page data sharing, an unprivileged local user could in theory access any page in the kernel's page cache as if it were any other virtual memory mapping. However, to do so, they needed to obtain a copy of that page from outside of the page cache. For example, they might do this by using the VirtualBox graphical user interface or by accessing a virtual file system and side loading a program that has been patched to access arbitrary kernel memory locations.
Of course, obtaining such a copy of a page from outside of the page cache might raise suspicions. This is where the issue of lack of initialization of the "flags" member of the new pipe buffer structure comes in. In this scenario, an unprivileged local user could simply create a pipe with the "flags" set to 0 and let the copy() system call create a new pipe buffer with the "flags" set to 0. This would result in the new pipe buffer structure having an invalid "flags" member, thus allowing an unprivileged local user to read data from any page in the kernel's page cache as if it were any other virtual memory mapping. Once

References

- CVE-2022-0847
- Daniel Mach of the Red Hat Security Engineering team
6 Reasons Why Digital Marketing Is Important - https://www.seroundtable.com/digital-marketing-reasons-why-it-s-important-23764.html

User-Space Code Execution

An unprivileged local user can use this flaw to execute code in the kernel's address space. This could be achieved by mapping a file into their address space and executing it.
This flaw is not remotely exploitable, as it requires physical access to the system.

Overview of the Issue

The kernel does not perform any sanity checks on the "flags" member of a new pipe buffer during its initialization. As a result, an unprivileged local user could read arbitrary data from any page in the kernel's page cache as if it were any other virtual memory mapping.
The issue is triggered by lack of initialization of the "flags" member of a new pipe buffer during its initialization, when an unprivileged local user creates a new pipe with "flags" set to 0 and then executes copy() system call that creates a new pipe buffer with "flags" set to 0.
When the kernel copies data from one pipe buffer to another using copy() system call, it doesn't check if their respective "flags" members are initialized to zero. An unprivileged local user could create two pipes with flags set to 0 at the same time and use copy() system call to transfer data between them without raising suspicion.

The "flags" field of the new pipe buffer structure

A more serious issue caused by the lack of initialization of the "flags" member was discovered by Daniel Mach of the Red Hat Security Engineering team. If an attacker had virtual file system access to an unprivileged local user's system, they could use this flaw to escalate their privileges on the system.
Thanks to the kernel's policy of in-page data sharing, an unprivileged local user could in theory access any page in the kernel's page cache as if it were any other virtual memory mapping. However, to do so, they needed to obtain a copy of that page from outside of the page cache. For example, they might do this by using the VirtualBox graphical user interface or by accessing a virtual file system and side loading a program that has been patched to access arbitrary kernel memory locations.
Of course, obtaining such a copy of a page from outside of the page cache might raise suspicions. This is where the issue of lack of initialization of the "flags" member of the new pipe buffer structure comes in. In this scenario, an unprivileged local user could simply create a pipe with the "flags" set to 0 and let the copy() system call create a new pipe buffer with the "flags" set to 0. This would result in the new pipe buffer structure having an invalid "flags" member, thus allowing an unprivileged local user to read data from any page in the kernel's page cache as if it were any other virtual memory mapping. Once

The Linux Kernel's New Pipe Buffer Structure

The Linux Kernel's new pipe buffer structure is a mechanism that provides a mechanism to allocate, manage and release memory.
If an attacker has virtual file system access to an unprivileged local user's system, they could use this flaw to escalate their privileges on the system.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe