DirtyPipe (CVE‑2022‑0847) Vulnerability Analysis and Exploitation on Android/Linux

Background

In early March, security researchers disclosed a high‑severity vulnerability in the Android/Linux kernel identified as CVE‑2022‑0847, nicknamed DirtyPipe . The flaw was introduced in the Linux kernel 5.8 patch series and affects all operating systems that use the Linux kernel, including Android 12 with kernel 5.10. Internal research showed that combining DirtyPipe with exploitation techniques can achieve powerful privilege‑escalation effects.

Vulnerability Analysis

1. Principle Overview

DirtyPipe allows arbitrary writes to any readable file. It exploits the kernel’s zero‑copy splice operation, which reuses a file’s page cache as a pipe buffer without initializing the pipe buffer’s flag field. If the flag is pre‑set to PIPE_BUF_FLAG_CAN_MERGE , the kernel treats the file page as a normal pipe buffer, permitting subsequent writes that corrupt the cached page. Because the kernel does not mark the page as dirty, it is never flushed to disk, and any process reading the file will see the tampered content, enabling “write‑any‑readable‑file” and local privilege escalation.

2. Patch Analysis

The upstream patch adds initialization of buf->flags in copy_page_to_iter_pipe , indicating that the root cause is an uninitialized variable.

3. Root Cause

The pipe implementation uses a circular array of 16 pages (each 4096 bytes). The kernel maintains head and tail pointers. The pipe_write function writes to the page pointed to by head . If buf->flag is not set correctly, the kernel may treat a file‑cache page as a writable pipe page, allowing the attacker to overwrite the cached file content.

Exploitation Analysis

The classic DirtyCOW approach (overwriting su or /etc/passwd ) is not feasible on modern Android devices because they lack su , have a read‑only /etc/passwd , and enforce SELinux policies. Instead, the attack targets shared object ( .so ) files, which are executable and can be spliced.

By modifying the code segment of a loaded .so without altering the first byte of each page, an attacker can change the behavior of any process that loads the library. The article demonstrates bypassing a custom authentication check in xxxservice by patching an ARM64 TBZ instruction to always jump to the success path. The original instruction:

TBZ W0, #0, loc_74C8

is replaced with a TBZ that always evaluates as true, effectively disabling the check.

After patching, a proof‑of‑concept command runs with root privileges, creating and reading files in /data .

Advanced Exploitation Scenarios

The article outlines a multi‑stage attack chain to obtain full root on Android:

Modify a privileged .so (e.g., libxxxservice.so ) to bypass authentication.

Hook libc++.so in the init process, redirecting execution to a custom payload placed in an unused page of the library.

Load a malicious kernel module ( .ko ) via modprobe triggered from the init process.

The kernel module sets the SELinux state to permissive, disabling SELinux enforcement.

Finally, a user‑space payload spawns a root shell.

The chain demonstrates that DirtyPipe can be used to write to read‑only files, inject code into system services, and ultimately compromise the kernel and SELinux.

Conclusion

DirtyPipe provides a novel primitive for writing to read‑only files, enabling a range of attacks such as N‑day exploitation, bypassing conditional checks, and injecting code into init and kernel modules. Traditional kernel mitigations (e.g., CFI, KASLR) are ineffective against this logic‑level flaw. The vulnerability has a broad impact across Linux distributions and Android devices, emphasizing the need for rapid patching and runtime integrity protection for critical files.