JH7110_VisionFive2_devel: vulnerable to CVE-2022-0847 aka DirtyPipe exploit

[strlcat]

Hi,
A serious flaw still exists and can affect thousands of VF2's deployed so far.
Dirtypipe is easily exploitable, allows to overwrite any file in filesystem not normally writable (permissions check bypass, immutable flag bypass), without touching it's ctime field (change goes completely unnoticed if not audited offline on another trustworthy system) most likely privileges can be raised to root by a wild available exploit.
I tested last HEAD from JH7110_VisionFive2_devel on a real VF2 and it works - I can overwrite instructions in /bin/ls for example at my will.
Please see https://dirtypipe.cm4all.com/ for further details.
Patch closing this "backdoor": https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=9d2231c5d74e13b2a0546fee6737ee4446017903
I've sent PR #92
Thanks.

[strlcat]

I guess 5.15.0 is quite old as of today and there can be more bugs like this floating around, maybe a successful rebase to last 5.10.x longterm is possible aswell?

[michaellass]

I guess 5.15.0 is quite old as of today and there can be more bugs like this floating around, maybe a successful rebase to last 5.10.x longterm is possible aswell?

No need to go back to 5.10. 5.15 is under longterm support as well.

[MichaIng]

It just needs to be rebased onto latest 5.15.y, which is not that hard. See my fork: https://github.com/MichaIng/linux

[strlcat]

I guess 5.15.0 is quite old as of today and there can be more bugs like this floating around, maybe a successful rebase to last 5.10.x longterm is possible aswell?

No need to go back to 5.10. 5.15 is under longterm support as well.

Sorry, typo. I meant rebase against 5.15 longterm.

[strlcat]

It just needs to be rebased onto latest 5.15.y, which is not that hard. See my fork: https://github.com/MichaIng/linux

Thanks! I'll switch then :-)

[MichaIng]

You may have a look and in case use my config: https://github.com/MichaIng/linux/blob/5.15-visionfive2/dietpi_visionfive2_defconfig

diff dietpi_visionfive2_defconfig arch/riscv/configs/starfive_visionfive2_defconfig
cp dietpi_visionfive2_defconfig arch/riscv/configs/starfive_visionfive2_defconfig

I'm open for feedback about it.

[strlcat]

@MichaIng out of curiosity, how to I rebase? I'm not an expert in git, but I would like to get same result as you.

[MichaIng]

git remote add mainline https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
git fetch --all # this will take a long time as mainline Linux repo is huge
git rebase mainline/linux-5.15.y

You will face a few conflicts which you need to resolve. When you add/checkout my branch, you can have a look at

git log --grep='MichaIng'

I signed off all commits which I needed to resolve conflicts and added a link to the upstream commit which caused the conflict. The way I changed it can then be checked via:

git diff COMMITHASH^!

I hope you know the workflow to find the conflict in a file between <<<<< lines, edit that part the way it should be, git add FILE, git rebase --continue etc? Took a while for me when I did something like this the first time 😄.

---

It could be also done the other way round, to merge from mainline into the current branch instead of rebasing:

git merge mainline/linux-5.15.y

This preserves the timestamps of the StarFive commits. But I found it somehow nicer to always start with current mainline Linux and put StarFive's commits on top of that, so obsolete/empty commits are skipped automatically, diffs and conflicts always show what StarFive changed based on current upstream etc.

[strlcat]

Sorry to bother you all in this issue, but, dear @MichaIng , I fail to achieve desired result at git rebase mainline linux-5.15.y: fatal: invalid upstream 'mainline'.
Can you look into it? Where these commands shall be entered at?

The git merge mainline linux-5.15.y instead of git rebase mainline linux-5.15.y says merge: mainline - not something we can merge.

My git version git version 2.39.2. My git remote -v is:

mainline        https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git (fetch)
mainline        https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git (push)
origin  https://github.com/starfive-tech/linux.git (fetch)
origin  https://github.com/starfive-tech/linux.git (push)

Thank you for understanding.

[MichaIng]

Ah sorry, this is the right command:

git rebase mainline/linux-5.15.y

Since you will run into conflicts: if you are not used to git usage, I think a GitHub issue is not the right place to go through all this in detail. Let's keep this about the general need/question whether StarFive can either rebase their own kernel sources or otherwise cherry-pick the DirtyPipe fix(es). Everything else is probably better discussed on https://forum.rvspace.org/, what you think?

[strlcat]

@MichaIng Sure, I do agree, let's pick up discussion there, I'm known by @strlcat handle there. I'll create a topic there soon. Let's not mess up bughunting.