- Implements the Dirty Pipe primitive: prepare_pipe() fills+drains a
pipe to plant the stale PIPE_BUF_FLAG_CAN_MERGE flag in every
pipe_buffer slot; dirty_pipe_write() splices 1 byte from the target
file at offset-1 (seeding the slot with the file's page) then write()s
the payload, which the buggy kernel merges back into the page cache.
- find_passwd_uid_field() + revert_passwd_page_cache() inlined in the
module. Two-of-two duplication acceptable; extraction into core/host
triggers when a third module needs the same helpers (Phase 1.5).
- dirty_pipe_exploit() resolves current euid via getpwuid, locates the
user's UID field in /etc/passwd, replaces it with same-length zeros
('0000' for a 4-digit UID), then execlp's su <user> -c /bin/sh.
Auto-refuses if detect() reports patched. --no-shell mode plants the
write and returns. Cleanup mode evicts /etc/passwd from page cache.
- _GNU_SOURCE redefine warning fixed: cmdline -D already passes it.
Verified end-to-end on kernel 6.12.86 (patched):
iamroot --scan → dirty_pipe reports OK (patched)
iamroot --exploit dirty_pipe --i-know → refuses cleanly
CI-validation against vulnerable kernel (Ubuntu 20.04 / 5.13) is Phase 4.
CVES.md: dirty_pipe 🔵 → 🟢. ROADMAP.md: Phase 2 marked complete.
leviathan
5a0aef12d0