Описание
A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.
Отчет
Red Hat Product Security is aware of this issue. Updates will be released as they become available. Note that PIPE_BUF_FLAG_CAN_MERGE flag attack vector is not available in Red Hat Enterprise Linux 8 and thus the currently known exploits leveraging this flag do not work. The underlying issue (lack of proper pipe_buffer structure initialization) is still present though and other novel ways leading to successful exploitation cannot be fully ruled out.
Меры по смягчению последствий
Currently there is no mitigation available for this flaw. Customers should update to fixed packages, once they are available.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 9 | kernel | Not affected | ||
| Red Hat Enterprise Linux 9 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 8 | kernel-rt | Fixed | RHSA-2022:0819 | 10.03.2022 |
| Red Hat Enterprise Linux 8 | kernel | Fixed | RHSA-2022:0825 | 10.03.2022 |
| Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions | kernel | Fixed | RHSA-2022:0823 | 10.03.2022 |
| Red Hat Enterprise Linux 8.2 Extended Update Support | kernel-rt | Fixed | RHSA-2022:0821 | 10.03.2022 |
| Red Hat Enterprise Linux 8.2 Extended Update Support | kernel | Fixed | RHSA-2022:0820 | 10.03.2022 |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
7.8 High
CVSS3
Связанные уязвимости
A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.
A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.
A flaw was found in the way the "flags" member of the new pipe buffer ...
ELSA-2022-9213: Unbreakable Enterprise kernel-container security update (IMPORTANT)
EPSS
7.8 High
CVSS3