DirtyPipe (CVE‑2022‑0847) Exploit: Gaining Root on Android

Background

In early March, security researchers disclosed a high‑severity vulnerability in the Android/Linux kernel, CVE‑2022‑0847, nicknamed DirtyPipe because of its similarity to the DirtyCOW bug. The flaw was introduced in the upstream Linux kernel 5.8 and affects all OPPO Android kernel versions, cloud desktops, compilation servers and other Linux‑based systems, with the greatest impact on flagship devices running Android 12 with kernel 5.10.

Vulnerability Analysis

Principle Overview

DirtyPipe allows writing arbitrary data to any readable file, enabling a non‑privileged process to inject code into a root process. The bug occurs when the kernel copies data via splice using a zero‑copy technique: a file page is used as a pipe buffer without initializing the buffer’s flags field. If the PIPE_BUF_FLAG_CAN_MERGE flag is set beforehand, the file page is treated as a normal pipe page and can be overwritten without being marked dirty, so the kernel never writes it back to disk. All subsequent reads of the file see the tampered page, giving “read‑any‑file, write‑any‑file” capability and local privilege escalation.

Patch Analysis

The upstream patch adds proper initialization of buf‑>flags in copy_page_to_iter_pipe(), turning the issue into a classic uninitialized‑variable bug.

Root‑Cause Analysis

The pipe implementation uses a ring buffer of 16 pages (each 4096 bytes). Two pointers, head (write) and tail (read), manage the buffer. pipe_write() writes to the page pointed by head. If the page’s flags field is not initialized, the kernel may treat a file cache page as a writable pipe page, allowing it to be overwritten without being flushed.

Key Functions

pipe_write() : checks if the current page can be merged (PIPE_BUF_FLAG_CAN_MERGE) and either continues writing on the same page or allocates a new one.

splice() : performs zero‑copy by replacing a pipe buffer with a file cache page.

copy_page_to_iter_pipe() : links the file page to the pipe and should set buf‑>flags, which the patch now does.

Exploit Analysis

Typical Linux privilege‑escalation exploits (e.g., DirtyCOW) overwrite su or /etc/passwd, but Android release builds lack su and have SELinux enforcing policies, so those paths are unavailable. Instead, the exploit targets read‑only .so libraries, which are executable and loaded by many processes.

.so File Characteristics

.so files are executable, read‑only, and support splice. Modifying the code segment of a loaded .so instantly affects every process that uses it. By changing the code without altering the first byte of a page or expanding the file, an attacker can control the behavior of any dependent process.

N‑day Exploit Example

The lab discovered a historic vulnerability in a custom service xxxservice. By patching the service’s authentication check in its .so (adding a guard that requires a specific UID), the attacker can bypass the check by overwriting a single instruction (e.g., changing a TBZ to always branch). The byte sequence \x20\xF8\x07\x36 replaces the original instruction at offset 0x75C4, rendering the authentication ineffective.

Exploit Result

After patching the .so, the proof‑of‑concept command runs with root privileges, creating and reading files in /data.

Full‑Root Chain

To obtain complete root, the attacker must also disable SELinux, which requires kernel‑level control. By loading a malicious kernel module (ko) via modprobe triggered from the init process, the attacker can set selinux_state to permissive, then execute a payload that spawns a root shell.

Summary

DirtyPipe’s ability to write to read‑only files enables attackers to hook .so libraries, bypass SELinux checks, and achieve root on Android devices. The vulnerability is a logical kernel bug, not mitigated by traditional memory‑corruption defenses, and highlights the need for runtime integrity protection of critical files.