back to article Linux distros patch 'Dirty Pipe' make-me-root kernel bug

A Linux local privilege escalation flaw dubbed Dirty Pipe has been discovered and disclosed along with proof-of-concept exploit code. The flaw, CVE-2022-0847, was introduced in kernel version 5.8 and fixed in versions 5.16.11, 5.15.25, and 5.10.102. It can be exploited by a normal logged-in user or a rogue running program to …

  1. Anonymous Coward
    Anonymous Coward

    All hands on deck!

    "certain user accounts on or before 2019," which were were used for staff training and had been inadvertently made public in a GitHub repository ...

    So best practice ought to be completely made-up information. Nothing real to lose.

    Second best practice ought to be using your company's employee information. Everything to lose, in case of stupidity.

    .

    Hmm, "dog-fooding" is using own pre-release code, before availability generally, to ensure quality. What's the equivalent term here? Using your own identification information in test data, that should never be made available, and to ensure security. "guillotine trimmer loading?"

    1. bombastic bob Silver badge
      Devil

      Re: All hands on deck!

      (I have to wonder if MY details were ever disclosed...)

      A term for insecurely using/disclosing unsanitized real data for testing things...

      a) Deja Fu

      b) Dumpster-Data

      c) Pre-owned info (or maybe Pre-pwned)

      d) Data Slutting (not to be confused with Data Whoring)

      e) Barf-bagging

      eh, maybe Data Slutting works the best.

  2. Greybearded old scrote Silver badge
    FAIL

    Example

    Do you have an example of that kernel bug that might actually be plausible?

    Passwords haven't been stored in /etc/passwd for about 25 years, to protect them from this sort of attack. They are in /etc/shadow, which is only readable by root.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Example

      If you overwrite an entry in /etc/password so that the password field is blank, no password is needed. (If there's an x, use the shadow file.)

      So, just blank out root's password entry with the DirtyPipe overwrite and everyone can get root.

      PS: Another example would be to pick a root-owned setuid binary and overwrite it so that it simply spawns a root shell, and then restore the binary to normal.

      C.

      1. Greybearded old scrote Silver badge

        Re: Example

        OK, I'd forgotten about the x. Guess they didn't fix it properly all those years ago.

        Thank you for the putting me right.

  3. sabroni Silver badge
    WTF?

    Linux Bias?

    How big would the article be for a Windows vuln that let any fucker get admin privileges? Would that be a couple of paragraphs in a round up article?

    The arsTechnica article claims millions of android devices will be affected.

    C'mon El reg, there was a time when you weren't afraid to put the boot into ANY OS, even Linux. Are you really that frightened of a load of pissy comments?

    Step the fuck up. This is a dangerous vuln that's out in the wild on millions of devices. The fact there's a new kernel doesn't mean Android devices will get updated to it.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Linux Bias?

      "How big would the article be for a Windows vuln that let any fucker get admin privileges?"

      For a Windows vuln for which patches are already out? Typically a few sentences: there are EoP holes in every Windows Patch Tuesday.

      If we write a whole article about an EoP it's usually because a patch isn't out yet (it's a zero day) or it's being actively exploited or that the bug is particularly interesting, or that someone on the team was at a loose end and had enough time and material to write a whole article.

      "C'mon El reg, there was a time when you weren't afraid to put the boot into ANY OS, even Linux. Are you really that frightened of a load of pissy comments?"

      No. We often assign stories based on how much time and scribes we've got available. For Dirty Pipe, we wanted to get it out as soon as possible as the next lead item on the weekly roundup.

      In fact think of it as a Dirty Pipe story with bonus material, as the DP section is quite a lot more than a couple of paragraphs.

      We'll look at the Android angle next (it's also mentioned in the article).

      Good news is that we've hired two writers this month to cover security, so expect more security stories sooner rather than later.

      "Step the fuck up."

      Sigh, why this angry?

      C.

      1. Anonymous Coward
        Anonymous Coward

        Re: Linux Bias?

        "Good news is that we've hired two writers this month to cover security, so expect more security stories sooner rather than later."

        Great! Looking forward!

      2. Anonymous Coward
        Facepalm

        Re: Linux Bias?

        It is the way of the world (or, at least, ElReg).

        Penguins, Microsofties, and Sheeple all think their OS is the best and is suited for all use cases.

        Any flaw in one OS will be jumped on as proof.

        What is ignored is that all OSes have had flaws in the past and will have flaws in the future.

        1. jake Silver badge

          Re: Linux Bias?

          All hardware sucks, all software sucks, all languages suck, all text editors suck[0], and all OSes suck. And of course let's not forget the fanbois/fangrrls, who suck in all kinds of spectacular ways.

          [0] Except vi, of course ... the One True Editor.

          1. swm

            Re: Linux Bias?

            "Except vi, of course ... the One True Editor."

            You must mean ed as vi is a thin veneer over ed.

            1. jake Silver badge

              Re: Linux Bias?

              No, I mean vi ... ed is just the core, Bill's contributions are what makes vi vi.

      3. jake Silver badge

        Re: Linux Bias?

        "Sigh, why this angry?"

        Have you honestly never run across sabroni, Chris? It's always angry ... usually to the point of dropping all pretense of logic. Which is a shame, because in rare bouts of lucidity it is apparently a fairly knowledgeable coder, and technically more than competent.

        1. sabroni Silver badge

          Re: It's always angry

          It's "They're always angry."

          It's rude to refer to people as it, even when you don't know their gender. Use "they" to refer to a single, non-gendered person.

          Language changes and grows as people use it.

          Anyway, I'm not angry, that's just my posting style.

          You tosser!!! ;-P

          1. jake Silver badge
            Pint

            Re: It's always angry

            Whatever. Lighten up. Life's too short to sweat the small stuff.

            Relax, have a homebrew (or other drink of your choice).

            I was going to say something about spitting the hook, but that would have been rude.

    2. Doctor Syntax Silver badge

      Re: Linux Bias?

      "This is a dangerous vuln that's out in the wild on millions of devices. The fact there's a new kernel doesn't mean Android devices will get updated to it."

      That will be the kernel update that arrived last night on my laptop.

      As to Android - I'd like to know a bit more about how to exploit it. I might be able to wrest control of my phone from Google.

    3. Anonymous Coward
      Anonymous Coward

      Re: Linux Bias?

      "The fact there's a new kernel doesn't mean Android devices will get updated to it."

      Are many versions of Android affected? The article states that the bug appeared in linux kernel 5.8. Android is usually based on LTS kernels. Cross-checking with the list of kernels on

      https://source.android.com/devices/architecture/kernel/android-common

      suggests that anything before Android 12 is unaffected, since Android 11 and earlier are based on kernel 5.4 or earlier. There is also an Android 12 kernel which is based on 5.4, so that should be fine too.

      Most of the "never get an update" Android devices out in the wild will have older versions of Android on so should be fine. Most Android 12 devices will be eligible for updates, and I would imagine that will happen pretty soon for devices running Android 12-5.10 (the article notes that there is a fix for 5.10 kernels).

      1. Altrux

        Re: Linux Bias / Android kernels

        My Samsung A52, running Android 12, still has a 4.19 kernel. I've yet to see a phone running anything newer than 5.4, but I don't doubt that they're out there. Luckily, Samsung is quite good at rolling out monthly Android security updates for all supported phones. Many others are not so lucky.

    4. VoiceOfTruth

      Re: Linux Bias?

      You have to understand that The Register readership, in large part, throw a Nelsonian eye at any fault, bug, defect, security flaw in Linux while they trumpet the same in Windows.

      I have used Linux for about 25 years now. Unfortunately what I have written above is true in my experience. A lot of penguins are utterly blind to any sort of fault in Linux, and are happy to blame anyone and anything else but Linux.

      There was the article about the *stolen* Nvidia certificate here: https://www.theregister.com/2022/03/05/nvidia_stolen_certificate/. One of the posts had the comment 'Linux's reputation is getting trashed because of Nvidia's proprietary drivers.'. Yeah. That's right. A stolen certificate trashes Linux's reputation. What if you are not using Nvidia cards in your Linux box? And why would you use Nvidia when your penguin master has such an anti-Nvidia attitude?

      1. Sloppy Crapmonster

        Re: Linux Bias?

        Penguin master lol.

        Reasonable people can disagree, but Nvidia's license explicitly says "interface with our interface if you want to use our hardware". Linux is about (AFAIK, I'm not a kernel developer) writing drivers directly to the hardware. Those two worldviews can't work with each other.

        I'm leaning towards the Linux worldview. I'm honestly shocked that Nvidia isn't requiring Debian, and Red Hat, and all the other distros out there write their own interface layer.

        That said, I don't actually care one way or another.

      2. jake Silver badge

        Re: Linux Bias?

        I think you'll find that it's not the type or quantity of bugs that people here rail against, rather it's the attitude that Microsoft exhibits towards the concept of bugs in general that people don' approve of.

    5. Fathom

      Re: Linux Bias?

      Calm down Francis. {This paraphrase is a reference to the motion picture, "Stripes."}

      The reason we all hit on Microsoft is that since the 1980's they've been using a formula developed by the automotive industry {Reference will be found in, "Fight Club."} to determine whether or not they will issue a patch. I was working for a major health provider [CHW] at 'Ground Zero' - "DaVinci," when we all started getting pissed off. The temperature of our pissed-off is the only thing that motivated Microsoft to get up off their lazy, unconcerned, condescending 'sofa' to fix their shortcomings. By comparison, we in the Linux community are hyperactive about fixing problems as we encounter them. Apologists for Microsoft, "Need Not Apply."

      1. jake Silver badge

        Re: Linux Bias?

        "the only thing that motivated Microsoft to get up off their lazy, unconcerned, condescending 'sofa' to fix their shortcomings."

        Microsoft has fixed it's shortcomings WRT bugs? Really? Post proof or retract.

  4. Anonymous Coward
    Anonymous Coward

    "The flaw, CVE-2022-0847, was introduced in kernel version 5.8 "

    RHEL8 is impacted, and it's using 4.18. Either that bug was part of a backport, or it's been in there for longer than the CVE webpage says.

    1. Altrux

      RH kernels

      Red Hat kernels apparently bear little relation to their headline version number. They backport and tweak an insane amount of stuff, so that kernel is probably no more 4.18 than my hamster's brain firmware is.

      1. jake Silver badge

        Re: RH kernels

        "Red Hat kernels apparently bear little relation to their headline version number. They backport and tweak an insane amount of stuff, so that kernel is probably no more 4.18 than my hamster's brain firmware is."

        Now ask why nobody with a clue uses RedHat kernels.

      2. bazza Silver badge

        Re: RH kernels

        I've never understood why they do it. AFAIK Linux doesn't depracate features that often, or change its system call interface, so what's the appeal of years old kernels?

      3. bazza Silver badge

        Re: RH kernels

        Also, if they're happily back porting bugs such as this, it does beg the question as to what value they're adding in doing so. If the motivation is to stick with a kernel that's tried and true, then surely they should be giving everything they backport a thorough going over to preserve that tried and trueness. Otherwise it is just security theatre.

        Not thorough enough in this case.

  5. Anonymous Coward
    Anonymous Coward

    I wonder if that sound I heard was the wailing and gnashing of teeth from NSO group as another of their Android zero-day is patched.

  6. Anonymous Coward
    Anonymous Coward

    You know, the infighting among the US security agencies for "dibs" on information and power is quite amusing to those of us outside the country... is there _anything_ in America that isn't used as an opportunity for a power grab by _someone_? Is nothing ever done just because it is _necessary_ and good for _society_ instead of the individual?

    1. VoiceOfTruth

      'And so, my fellow Americans: ask not what your country can do for you—ask what you can do for your country'

      And so, my fellow 'mericans: ask not what your country can do for you - ask what you can grab for yourself.

      Alas it seems the USA is seeking a monopoly on knowledge. It seeks control over dissemination of knowledge, over the publication of scientific research, over 'who knows what', and 'who is allowed to know what'.

    2. jake Silver badge

      I'm fairly certain you can substitute the name of any other country in the so-called "developed world" for the US in that paragraph. Security agencies as a whole work that way. It's in their remit, whether written in officially or not.

  7. bazza Silver badge

    Dirty Pipe

    Seems like a fairly trivial mistake with a big consequence. We all know why it happened - resources availability.

    I've not gone to look at the source itself. Anyone know if would have been spotted by, say, a linter?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like