Date: Thu, 30 Nov 2017 02:32:37 +0200 From: Bindecy <contact@...decy.com> To: oss-security@...ts.openwall.com Subject: CVE-2017-1000405: Linux kernel - "Dirty COW" variant on transparent huge pages Hello, This is a brief overview of the vulnerability, more details are available in the post referenced in the GitHub link. ==== Summary ==== In the "Dirty COW" vulnerability patch (CVE-2016-5195), can_follow_write_pmd() was changed to take into account the new FOLL_COW flag (8310d48b125d "mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp"). We noticed a problematic use of pmd_mkdirty() in the touch_pmd() function. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd can become dirty without going through a COW cycle - which makes writing on read-only transparent huge pages possible. This bug is not as severe as the original "Dirty cow" because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp. Using this primitive, we successfully crashed several processes. A likely consequence of overwriting the huge zero page is having improper initial values inside large BSS sections. Common vulnerable pattern would be using the zero value as an indicator that a global variable hasn't been initialized yet. Potentially, privileged processes using the mentioned pattern are exploitable. ===== POC ===== The POC overwrites the zero-page of the system. POC source on GitHub: https://github.com/bindecy/HugeDirtyCowPOC ===== Affected Versions ===== The POC was tested on Ubuntu 17.04 with kernel 4.10 and Fedora 27 with kernel 4.13. Every kernel version with THP support and the Dirty COW patch should be vulnerable (2.6.38 - 4.14). RHEL claimed by the vendor as not affected. Fixed on Nov 27, 2017: https://github.com/torvalds/linux/commit/a8f97366452ed491d13cf1e44241bc0b5740b1f0 ===== Timeline ===== 22.11.17 — Initial report to security@...nel.org and linux-distros@...openwall.org 22.11.17 — CVE-2017–1000405 was assigned 27.11.17 — Patch was committed to mainline kernel 29.11.17 — Public announcement ===== Credit ===== Eylon Ben Yaakov and Daniel Shapiro from Bindecy
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ