DirtyPipe漏洞分析与利用教学文档<\/h1>

1. 漏洞概述<\/h2>
CVE-2022-0847 (DirtyPipe) 是Linux内核中的一个漏洞，允许低权限用户覆盖任意只读文件的内容，包括setuid文件。该漏洞存在于Linux内核的管道(pipe)机制中，影响5.8及以上版本的Linux内核。<\/p>

2. 漏洞背景知识<\/h2>

2.1 Linux管道机制<\/h3>

Linux管道是一种进程间通信机制，由pipe_inode_info结构体表示：<\/p>

struct<\/span> pipe_inode_info {
<\/span><\/span>    struct<\/span> mutex mutex;
<\/span><\/span>    wait_queue_head_t rd_wait, wr_wait;
<\/span><\/span>    unsigned<\/span> int<\/span> head;
<\/span><\/span>    unsigned<\/span> int<\/span> tail;
<\/span><\/span>    unsigned<\/span> int<\/span> max_usage;
<\/span><\/span>    unsigned<\/span> int<\/span> ring_size;
<\/span><\/span>    unsigned<\/span> int<\/span> nr_accounted;
<\/span><\/span>    unsigned<\/span> int<\/span> readers;
<\/span><\/span>    unsigned<\/span> int<\/span> writers;
<\/span><\/span>    unsigned<\/span> int<\/span> files;
<\/span><\/span>    unsigned<\/span> int<\/span> r_counter;
<\/span><\/span>    unsigned<\/span> int<\/span> w_counter;
<\/span><\/span>    struct<\/span> page *<\/span>tmp_page;
<\/span><\/span>    struct<\/span> pipe_buffer *<\/span>bufs;
<\/span><\/span>    \/\/ ...其他字段省略
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>其中关键字段：<\/p>

bufs<\/code>: 指向pipe_buffer结构体数组的指针，默认16个元素<\/li>
head<\/code>: 生产者指针<\/li>
tail<\/code>: 消费者指针<\/li>
<\/ul>
2.2 pipe_buffer结构<\/h3>
struct<\/span> pipe_buffer {
<\/span><\/span>    struct<\/span> page *<\/span>page;    \/\/ 指向数据页
<\/span><\/span><\/span><\/span>    unsigned<\/span> int<\/span> offset, len;  \/\/ 数据在页中的偏移和长度
<\/span><\/span><\/span><\/span>    const<\/span> struct<\/span> pipe_buf_operations *<\/span>ops;
<\/span><\/span>    unsigned<\/span> int<\/span> flags;   \/\/ 包含PIPE_BUF_FLAG_CAN_MERGE等重要标志
<\/span><\/span><\/span><\/span>    unsigned<\/span> long<\/span> private;
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>关键标志：<\/p>

PIPE_BUF_FLAG_CAN_MERGE<\/code>: 允许将新数据合并到现有缓冲区中<\/li>
<\/ul>
2.3 splice系统调用<\/h3>
splice()是一种零拷贝技术，允许在两个文件描述符之间移动数据而不需要在用户空间和内核空间之间复制数据。关键特性：<\/p>

可以直接让pipe_buffer指向原始文件的page cache<\/li>
省去了内存拷贝过程，提高效率<\/li>
<\/ul>
3. 漏洞成因分析<\/h2>
漏洞的根本原因在于splice系统调用在给pipe_buffer赋值时没有正确初始化flags字段，导致之前设置的PIPE_BUF_FLAG_CAN_MERGE<\/code>标志未被清除。<\/p>
具体流程：<\/p>


正常pipe写入流程<\/strong>：<\/p>

写入数据时会申请一个新page<\/li>
把数据拷贝到page里<\/li>
让pipe_buffer指向这个page<\/li>
如果PIPE_BUF_FLAG_CAN_MERGE<\/code>被置位，数据会接着上一次的数据在同一个page中写入<\/li>
<\/ul>
<\/li>

splice零拷贝流程<\/strong>：<\/p>

直接让pipe_buffer指向目标文件的page cache<\/li>
但未清除之前设置的PIPE_BUF_FLAG_CAN_MERGE<\/code>标志<\/li>
<\/ul>
<\/li>

漏洞触发条件<\/strong>：<\/p>

先让所有pipe_buffer的PIPE_BUF_FLAG_CAN_MERGE<\/code>被置位<\/li>
调用splice让pipe_buffer指向目标文件的page cache<\/li>
再向pipe写入数据会直接修改page cache里的内容<\/li>
<\/ul>
<\/li>
<\/ol>
4. 关键代码分析<\/h2>
4.1 pipe_write函数<\/h3>
static<\/span> ssize_t pipe_write<\/span>(struct<\/span> kiocb *<\/span>iocb, struct<\/span> iov_iter *<\/span>from) {
<\/span><\/span>    \/\/ ...省略...
<\/span><\/span><\/span><\/span>    if<\/span> (chars &&<\/span> !<\/span>was_empty) {
<\/span><\/span>        struct<\/span> pipe_buffer *<\/span>buf =<\/span> &<\/span>pipe-><\/span>bufs[(head -<\/span> 1<\/span>) &<\/span> mask];
<\/span><\/span>        if<\/span> ((buf-><\/span>flags &<\/span> PIPE_BUF_FLAG_CAN_MERGE) &&<\/span> 
<\/span><\/span>            offset +<\/span> chars <=<\/span> PAGE_SIZE) {
<\/span><\/span>            \/\/ 如果CAN_MERGE被置位，会在现有page中追加数据
<\/span><\/span><\/span><\/span>            ret =<\/span> copy_page_from_iter(buf-><\/span>page, offset, chars, from);
<\/span><\/span>            buf-><\/span>len +=<\/span> ret;
<\/span><\/span>            \/\/ ...省略...
<\/span><\/span><\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    \/\/ ...省略...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.2 copy_page_to_iter_pipe函数<\/h3>
static<\/span> size_t copy_page_to_iter_pipe<\/span>(struct<\/span> page *<\/span>page, size_t offset,
<\/span><\/span>                    size_t bytes, struct<\/span> iov_iter *<\/span>i) {
<\/span><\/span>    struct<\/span> pipe_inode_info *<\/span>pipe =<\/span> i-><\/span>pipe;
<\/span><\/span>    struct<\/span> pipe_buffer *<\/span>buf =<\/span> &<\/span>pipe-><\/span>bufs[i_head &<\/span> p_mask];
<\/span><\/span>    
<\/span><\/span>    buf-><\/span>ops =<\/span> &<\/span>page_cache_pipe_buf_ops;
<\/span><\/span>    get_page(page);
<\/span><\/span>    buf-><\/span>page =<\/span> page;  \/\/ 直接指向page cache
<\/span><\/span><\/span><\/span>    buf-><\/span>offset =<\/span> offset;
<\/span><\/span>    buf-><\/span>len =<\/span> bytes;
<\/span><\/span>    \/\/ 注意：没有初始化flags字段！
<\/span><\/span><\/span><\/span>    \/\/ ...省略...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>5. 漏洞利用细节<\/h2>
5.1 利用步骤<\/h3>

创建一个pipe但不指定O_DIRECT选项，使buffer的PIPE_BUF_FLAG_CAN_MERGE<\/code>被置位<\/li>
填充pipe的所有缓冲区，确保所有buffer都设置了PIPE_BUF_FLAG_CAN_MERGE<\/code><\/li>
清空pipe，但保留flags设置<\/li>
使用splice将目标文件的page cache引入pipe缓冲区<\/li>
向pipe写入数据，由于PIPE_BUF_FLAG_CAN_MERGE<\/code>仍被设置，数据会直接写入page cache<\/li>
<\/ol>
5.2 持久性分析<\/h3>

修改的是文件的page cache，不是直接修改磁盘内容<\/li>
由于修改的page未被标记为dirty，writeback机制会忽略这些修改<\/li>
重启系统或手动清除缓存(echo 1 > \/proc\/sys\/vm\/drop_caches<\/code>)会恢复原始文件内容<\/li>
sync命令无法将这种修改写回磁盘<\/li>
<\/ul>
6. 漏洞影响范围<\/h2>

影响Linux内核5.8及以上版本<\/li>
允许低权限用户修改只读文件<\/li>
可被用于提权，如修改\/etc\/passwd或setuid程序<\/li>
<\/ul>
7. 防御措施<\/h2>

升级到已修复的内核版本<\/li>
临时缓解：

限制对pipe的访问权限<\/li>
监控可疑的文件修改行为<\/li>
<\/ul>
<\/li>
<\/ol>
8. 相关资源<\/h2>

Linux内核源码：重点关注pipe.c和splice.c<\/li>
官方补丁：检查对splice和pipe flags的处理<\/li>
漏洞验证工具：可参考公开的PoC代码<\/li>
<\/ul>
9. 深入理解建议<\/h2>

阅读Linux内核关于pipe和splice的文档<\/li>
分析page cache和writeback机制<\/li>
研究其他类似的内核漏洞模式<\/li>
实践编写简单的PoC验证漏洞<\/li>
<\/ol>
10. 总结<\/h2>
DirtyPipe漏洞展示了Linux内核中管道机制与零拷贝技术交互时的安全隐患。通过精心构造的pipe操作序列，攻击者可以绕过正常的文件权限检查，直接修改只读文件的内容。理解这一漏洞需要深入掌握Linux内核的内存管理、文件系统和进程通信机制。<\/p>

DirtyPipe漏洞分析与利用教学文档<\/h1>

1. 漏洞概述<\/h2> CVE-2022-0847 (DirtyPipe) 是Linux内核中的一个漏洞，允许低权限用户覆盖任意只读文件的内容，包括setuid文件。该漏洞存在于Linux内核的管道(pipe)机制中，影响5.8及以上版本的Linux内核。<\/p>

2. 漏洞背景知识<\/h2>

4. 关键代码分析<\/h2>

5. 漏洞利用细节<\/h2>

1. 漏洞概述<\/h2>
CVE-2022-0847 (DirtyPipe) 是Linux内核中的一个漏洞，允许低权限用户覆盖任意只读文件的内容，包括setuid文件。该漏洞存在于Linux内核的管道(pipe)机制中，影响5.8及以上版本的Linux内核。<\/p>