Dirty Pipe is one of the most severe vulnerabilities to hit the Linux kernel in several years. The bug lets an unprivileged user overwrite data that is supposed to be read-only, an action that can lead to privilege escalation. The bug was nailed down on February 19, and for Linux flavors like Unbuntu, a patch was written and rolled out to end users in about 17 days. Android is based on Linux, so Google and Android OEMs need to fix the bug, too.
It has been a full month since the Linux desktop rollout, so how is Android doing?
According to the timeline given by Max Kellermann, the researcher who discovered the vulnerability, Google fixed Dirty Pipe in the Android codebase on February 23. But the Android ecosystem is notoriously bad at actually delivering updated code to users. In some sense, Android’s slowness has helped with this vulnerability. The bug was introduced in Linux 5.8, which was released in August 2020. So why didn’t the bug spread far and wide across the Android ecosystem over the last two years?
Android’s Linux support only jumped from 5.4 to 5.10 with the release of Android 12 six months ago, and Android phones typically don’t jump major kernel versions. Only brand new phones get the latest kernel, and they then tend to coast along on minor long-term support updates until they are retired.
The slowness of Android’s kernel rollouts means that only brand-new 2022 handsets are affected by the bug—that means devices on the 5.10 kernel, like the Google Pixel 6, Samsung Galaxy S22, and the OnePlus 10 Pro. The vulnerability has already been turned into a working root exploit for the Pixel 6 and S22.
Dirty Pipe -> kernel r/w+selinux disabled+root shell on Pixel 6 Pro and Sasmsung S22 latest update 🙂 pic.twitter.com/WwhwjLyU5q
— Fire30 (@Fire30_) March 14, 2022
So where is the patch? It hit the Android codebase on February 23 and then didn’t ship in the March security update. That would have been a fast turnaround time, but the April security update is now out, and Dirty Pipe, CVE-2022-0847, still isn’t anywhere to be found on Google’s security bulletin.
The company hasn’t replied to our (or other publications’) questions on what happened to the patch, but it’s reasonable to expect that the Pixel 6 should have the fix by now. It’s a Google phone with a Google chip running a Google OS, so the company should be able to get the update out the door quickly. Once the fix hit the codebase in late February, many third-party ROMs like GrapheneOS were able to integrate the patch in early March.
It looks like Samsung actually beat Google to releasing the patch, too. Samsung lists a patch for CVE-2022-0847 in its own security bulletin, indicating that the fix is rolling out to the Galaxy S22. Samsung splits vulnerabilities into Android bugs and Samsung bugs, and it says that CVE-2022-0847 is contained in Google’s April Android security bulletin, even though that isn’t true. Either Samsung cherry-picked the patch and didn’t indicate that in its bulletin, or Google pulled the bugfix at the last moment from the Pixel 6.
The Pixel 6 being the last phone to get an update would certainly be on-brand for Google, as the company has continually struggled to get updates for its new flagship out on time. The phone’s December and January patches arrived weeks late, even though speedy updates are supposed to be a major selling point of the Pixel line. Pixel updates should come quickly because Google controls the hardware and software, and with the Pixel 6, the company also started designing its own SoC with the help of Samsung. Google has fewer outside companies to coordinate with than ever, but it still can’t push Android updates as quickly as it should.
The patch hit Android’s source code repository 40 days ago. Now that the bug is public and free for anyone to exploit, it seems like Google should be moving faster to provide the fix.