Security News > 2022 > March > “Dirty Pipe” Linux kernel bug lets anyone write to any file
Max Kellermann, a coder and security researcher for German content management software creators CM4all, has just published a fascinating report about a Linux kernel bug that was patched recently.
He called the vulnerability Dirty Pipe, because it involves insecure interaction between a true Linux file and a Linux pipe, which is a memory-only data buffer that can be used like a file.
Very greatly simplified, if you have a pipe that you are allowed to write to and a file that you aren't.
He ended up creating a writable Linux pipe to which he could export the all-in-one ZIP archive, and then he'd read from each gzip file in turn, sending them one-by-one into the output pipe, with the needed headers and trailers inserted at the right points.
For extra efficiency, he used the special Linux function splice(), which tells the kernel to read data from a file and write it into a pipe directly from kernel memory, which avoids the overhead of a traditional read()-and-then-write() loop.
Even worse, it seems that this bug, given its low-level nature, can be used inside a virtualised container, where any running program is not supposed to have write access to any objects outside its "Sandbox" or "Jail", to modify files that would usually be off limits.