Ubuntu Wiki

Page cache overwrite with pipes flaw in the Linux Kernel (CVE-2022-0847 aka Dirty Pipe)

It was discovered that readable files could be overwritten at the page cache level unintentionally or by a malicious actor. That includes files that the process did not have write access to, were immutable or were on read-only filesystems.

There are no mitigations available, as this involves core kernel code including pipe and splice system calls. A kernel upgrade and reboot is necessary.

The specific vulnerability requires the presence of two kernel commits.

The first commit reutilizes new pipe buffers without clearing their flags. The second commit introduces a flag that allows buffers to be merged.

The first commit is what requires a fix and is present on kernels starting with version 4.9.

The second commit is only present on kernels starting with version 5.8. Users of such kernels must upgrade in order to not be vulnerable to the described attack.

The abuse of different flags could lead to unintended consequences, but as of now, there is no known attack.

References

• CM4all report:

  • https://dirtypipe.cm4all.com/

Updates

Ubuntu users are recommended to update to the latest kernel. The majority of users should ensure that the following kernel packages are installed:

Timeline

• 2022 02 28: Receive notification of issue
• 2022 03 07: Issue became public

• 2022 03 08: Updated Ubuntu debs became available in USN 5317-1

• 2022 03 09: Updated Ubuntu cloud images became available

Public Cloud Image updates

• Amazon AWS: 20220308 or newer
• Windows Azure: 20220308 or newer
• Google Compute Engine: 20220308 or newer
• Ubuntu Core Images: 20220308 or newer

Cloud Images dailies will start appearing within 4 hours of the USN announcement. At the direction of the security team, the Cloud Image Team will start manually releasing new images to the public cloud.