Post Syndicated from original https://lwn.net/Articles/887056/

Max Kellermann has disclosed a disconcerting kernel vulnerability:

Two weeks ago, I found a vulnerability in the Linux kernel since
version 5.8 commit f6dd975583bd ("pipe: merge anon_pipe_buf*_ops") due
to uninitialized variables. It enables anybody to write arbitrary
data to arbitrary files, even if the file is O_RDONLY, immutable or on
a MS_RDONLY filesystem. It can be used to inject code into arbitrary
processes.

This vulnerability has been named “dirty pipe”; Kellermann has put up a web page describing it in
detail. Updates from distributors are already being released.